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THE PARTNERSHIP BETWEEN NIST 
AND THE PRIVATE SECTOR: IMPROVING 
CYBERSECURITY 


THURSDAY, JULY 25, 2013 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Committee met, pursuant to notice, at 2:37 p.m. in room 
SR-253, Russell Senate Office Building, Hon. John D. Rockefeller 
IV, Chairman of the Committee, presiding. 

OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
U.S. SENATOR FROM WEST VIRGINIA 

The Chairman. I am going to make a statement, and then Sen- 
ator Thune is going to make a statement, and then we are going 
to go right to your testimony because this is a very, very important 
hearing. 

We are going to spend a lot of time today talking about a Federal 
agency most Americans have never heard up, the National Insti- 
tute of Standards and Technology, or NIST. I can assure you that 
in this committee we have heard of NIST. And we understand and 
appreciate the important role that NIST plays in our country’s eco- 
nomic success. You are scientists for one thing. You are engineers. 
You are technical experts all over the world. The whole technical 
world and increasingly the public policy world, partly because of 
cybersecurity but just in general, trusts and knows NIST. You are 
the worldwide gold standard. That is not me talking. That is other 
people talking, and you will hear that from the Netherlands in just 
a second. 

So let me give you an example. A couple of weeks ago, this com- 
mittee was having a hearing on the very important issue of improv- 
ing forensic science, which is not all that “Law and Order” says 
that it is. One of our witnesses was the chief of forensic science 
labs in the Netherlands, which is one of the top forensic science or- 
ganizations in the world. The Netherlands official proudly an- 
nounced at the hearing that his agency had just signed a memo- 
randum of agreement with you all at NIST on improving the qual- 
ity of forensic science standards. When Senator Thune asked him 
why his agency wanted to partner with NIST, he said it was be- 
cause when it comes to standards, NIST is, “absolutely the top- 
notch organization, the state-of-the-art, worldwide.” 

If you look up NIST’s authorizing law, you will read that NIST’s 
core mission is to serve as a laboratory, a science, engineering, 
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technology, and measurement laboratory. I really want to stress 
this point for the members of this committee, those who are here 
and those who should be, and the business community who may 
not have worked closely with NIST before, as many of us have. 
NIST is not a regulatory agency. It is a scientific laboratory to 
which all sorts and manner of institutions repair to improve them- 
selves. 

NIST’s mission is to help American businesses solve tough tech- 
nical problems. Whether it is emerging technologies like the Smart 
Grid or cloud computing or consumer products like flame-retardant 
mattresses or television screens, NIST’s job is to help American in- 
dustry help itself With its unrivaled technical expertise and its 
well-deserved reputation for objectivity, NIST has been working 
closely with the private sector for many years to help U.S. compa- 
nies innovate and to compete with their foreign competitors. 

I was very pleased but, frankly, not totally surprised when Presi- 
dent Obama issued an executive order earlier this year instructing 
NIST to begin looking at how we can protect our critical assets 
from something called “cyber attacks” which, in spite of all we do, 
Americans seem not to be able to grasp as to their importance and 
danger. I am looking forward to hearing from Dr. Gallagher and 
our other witnesses today about how their work on this so-called 
“Cybersecurity Framework” is progressing. 

Getting NIST involved in cybersecurity makes a lot of sense and 
may save the day for cybersecurity, that is, passing legislation, be- 
cause NIST already has decades of experience working with the 
private sector or on computer security issues. NIST’s computer se- 
curity work goes as far back as 1972 when it started working on 
the Data Encryption Standard. 

It also makes sense because we need our country’s very best 
minds in both the public and the private sectors focused on work- 
ing on this problem. Back in 2009, when Senator Olympia Snowe 
and I started working on cybersecurity legislation in the Commerce 
Committee, not everybody appreciated the seriousness of this 
threat. But today, 4 years later, I believe that we have reached a 
very broad consensus in this country that cyber attacks present the 
gravest threats to our national and economic security. The FBI 
says it. The CIA says it. DOD says it. ODNI says it. Everybody 
says it. And we just got to drive the point home. And what Senator 
Thune and I are hoping to do is to do a bill which would actually 
get this whole process going, the importance of momentum. 

But anyway, I think people now do understand cybersecurity rep- 
resents a huge threat. Every new report about stolen intellectual 
property or disruption of service attacks against a large U.S. com- 
pany drives this point home. 

Making progress against our cyber adversaries is going to require 
a sustained, coordinated effort between the public and the private 
sectors, and it is going to require the combined resources of many 
different Government agencies, which is part of the problem, and 
businesses. Acting alone, this committee cannot make all of the 
changes needed to give our Government and businesses the tools 
they need to make real progress in cybersecurity because we come 
from three different jurisdictions, which is not fun. It is OK but it 
is not the best way to do something. 
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But there are some important steps that we can and should take 
such as promoting cybersecurity research and encouraging talented 
young people to work in cybersecurity, which I think you will agree 
is a desperate, desperate problem. Probably the most important 
step we can take as a committee is to make sure that the technical 
experts at NIST stay engaged and working with the private sector 
to develop effective cybersecurity standards by which they will 
stick and do. If this process succeeds, our businesses and the Gov- 
ernment agencies will have a powerful new tool to protect ourselves 
against cybersecurity. 

I would like to thank Senator Thune for working with me on this 
very important issue. Since he became Ranking Member of this 
committee at the beginning of this year, he has devoted a tremen- 
dous amount of time to mastering this whole subject of 
cybersecurity. Yesterday we introduced legislation that we hope 
will serve as one of the cornerstones to our country’s cybersecurity 
strategy. I look forward to having a good conversation today about 
our bill, about other things that we can and should be doing to pro- 
tect our country from this massive threat. 

I thank you. 

Senator Thune? 

STATEMENT OF HON. JOHN THUNE, 

U.S. SENATOR FROM SOUTH DAKOTA 

Senator Thune. Thank you, Mr. Chairman, for holding this hear- 
ing and for your continued leadership on cybersecurity. You 
brought this critical issue to the fore, and you have been steadfast 
in your commitment to addressing the problem. 

No one can deny the serious threat that we are confronting in 
cyberspace. Almost daily we learn of new cyber threats and attacks 
targeting our Government agencies and the companies that drive 
our economy. We must find solutions that leverage the innovation 
and know-how of the private sector, as well as the expertise and 
information held by the Federal Government. And given the esca- 
lating nature of the threat, we should look for solutions that will 
have both an immediate impact and that will remain flexible and 
agile into the future. 

In keeping with that task, in March this Committee held a joint 
hearing with the Homeland Security and Governmental Affairs 
Committee not long after the President issued his cybersecurity Ex- 
ecutive Order in February. Today we are here to examine the Na- 
tional Institute of Standards and Technology’s implementation of 
that portion of the Executive Order pertaining to the cybersecurity 
partnership between the private sector and the Federal Govern- 
ment to improve best practices in cybersecurity. The feedback we 
have heard from many in the industry regarding NIST’s process 
has been fairly positive so far. 

We are also here to examine the legislation that Chairman 
Rockefeller and I have introduced, after soliciting feedback from in- 
dustry stakeholders and our colleagues. I think this bill strikes the 
proper balance to ensure that what develops is industry-led and a 
true partnership between NIST and the private sector. It also en- 
sures that NIST’s involvement and this process are both ongoing 



4 


in order to maintain the flexibility and continued innovation that 
is necessary to meet such a dynamic threat. 

Our proposed legislation also includes needed titles to improve 
research and development. We should not underestimate the value 
of R&D. As I have mentioned previously, I am proud to note that 
South Dakota’s own Dakota State University is one of only four 
schools in the Nation designated by the National Security Agency 
as a National Center of Academic Excellence in Cyber Operations. 
Other titles of our bill improve education and work force develop- 
ment, as well as cybersecurity awareness and preparedness. 

I am pleased that our offices worked with industry, fellow Senate 
colleagues, and other stakeholders to solicit and incorporate their 
feedback in crafting this legislation and will continue to do so as 
we move forward. By following regular order in the committees of 
jurisdiction, we hope to avoid the legislative impasse from the last 
Congress and ultimately enact legislation that will make real im- 
provements to our nation’s cybersecurity. 

Our hearing witnesses today include the Director of NIST and 
representatives from the private sector who can provide this com- 
mittee with their perspectives on how the current NIST process is 
developing. I look forward to hearing whether our legislation is a 
step in the right direction to provide a partnership that is truly vol- 
untary and industry-led. 

I am also pleased that the Chairman and I both recognize that 
an essential component of cybersecurity is strong information shar- 
ing regarding threats. Such sharing should occur both between 
Government and industry and among private sector actors with 
strong liability protections. It is our hope that our colleagues on the 
Senate Intelligence Committee will be successful in crafting bipar- 
tisan consensus legislation that achieves these goals. 

As the Chair of the House Intelligence Committee has said, ac- 
cording to intelligence officials, allowing the Government to share 
classified information with private companies could stop up to 90 
percent of cyber attacks on U.S. networks. 

It is also our hope that the Senate Homeland Security Com- 
mittee can similarly work in a bipartisan fashion to make needed 
improvements to the Federal Information Security Management 
Act in order to better secure our Federal networks. 

If our Committees can work to produce complementary consensus 
legislation, that would be a significant step forward in this area. 

Again, I thank the Chairman for holding this hearing. I want to 
thank our witnesses for being here, and we look forward to hearing 
your testimony. Thank you, Mr. Chairman. 

The Chairman. Thank you. Senator Thune. 

I am tempted to ask if any of our other Senators want to say a 
word, but I just lost that temptation. 

[Laughter.] 

The Chairman. So we will start with the Honorable Patrick D. 
Gallagher, who has been before us recently and frequently. He is 
Acting Deputy Secretary, Under Secretary of Commerce — I cannot 
read this stuff — for Standards and Technology, and Director, Na- 
tional Institute of Standards and Technology, U.S. Department of 
Commerce. I mean, they put the last thing, which is the important 
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thing, last. We did. So I apologize. Anyway, we welcome your state- 
ment. 

STATEMENT OF DR. PATRICK D. GALLAGHER, UNDER 
SECRETARY OF COMMERCE FOR STANDARDS AND 
TECHNOLOGY AND DIRECTOR, NATIONAL INSTITUTE OF 
STANDARDS AND TECHNOLOGY, UNITED STATES 
DEPARTMENT OF COMMERCE 

Dr. Gallagher. Thank you very much. Chairman Rockefeller, 
Ranking Member Thune, it is a real pleasure to be here and to join 
you and the rest of this committee to talk about this really impor- 
tant issue. It is great to both be able to talk about NIST, but in 
particular, I want to talk about this partnership with industry and 
I want to welcome my colleagues at the table today. 

Let me start by mentioning a few words about NIST itself As 
you mentioned, since 1901, NIST has played a rather unique and 
essential role as the Nation’s measurement laboratory, as indus- 
try’s national lab. And in that capacity, it is a nonregulatory agen- 
cy with the mission to promote U.S. innovation and competitive- 
ness by advancing measurement science, standards, and technology 
in ways that enhance our economic security and improve our qual- 
ity of life. And as you will hear more about today, our work in the 
area of information security, trusted networks, encryption, software 
quality is applicable to a wide variety of users from small and me- 
dium enterprises to large private and public organizations, includ- 
ing agencies of the Federal Government and critical infrastructure 
companies. 

As part of this broader responsibility, on February 13, 2012, the 
President signed Executive Order 13636 which directed NIST to 
work with industry to develop a Cybersecurity Framework to im- 
prove the cybersecurity of critical infrastructure. We believe that 
this framework is an important element in addressing the chal- 
lenges of improving cybersecurity of our critical infrastructure. A 
NIST-coordinated, but industry-led framework will draw on stand- 
ards and best practices that industry already develops and uses. 
NIST will ensure that the process is open and transparent to all 
stakeholders. We will ensure that there is a robust technical under- 
pinning to the framework, and any effort to better protect critical 
infrastructure can only work if it is supported and then imple- 
mented by the owners and operators of this infrastructure, which 
are largely in the private sector. 

This multi-stakeholder approach leverages the respective 
strengths of the public and private sectors. It helps develop solu- 
tions where both sides will be invested. This approach does not dic- 
tate solutions to industry but facilitates industry coming together 
to develop and offer solutions that the private sector is best posi- 
tioned to embrace. 

Relying on standards which are the result of industry coming to- 
gether to develop solutions for market needs we believe will give 
the framework broad acceptance around the world. 

Also importantly, the standards have a unique and key attribute 
of scalability. We can use solutions that are already adopted in in- 
dustry or if we can readily adopt, then those same solutions, when 
used by other markets, reduce transactional costs for our busi- 
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nesses. They provide economies of scale which make all of our in- 
dustries more competitive and make the goal of achieving 
cyhersecurity more doable. 

It also reflects the reality that many in the private sector are al- 
ready doing the right things to protect their systems and should 
not be diverted from these efforts through new standards. 

NIST is engaging with stakeholders through a series of work- 
shops and events to ensure that we can cover the breadth of consid- 
erations that will be needed to make this national priority a suc- 
cess. These sessions are designed to identify existing resources, 
identify gaps, and prioritize the issues that need to be addressed 
as part of the framework. The workshops also bring together a 
broad cross section of participants representing critical infrastruc- 
ture owner/operators, industry associations, standards development 
organizations, individual companies, government agencies, research 
labs, and so forth. 

Last week, NIST held its third workshop to present initial con- 
siderations for the framework. It built a discussion around the 
draft outline for the preliminary framework that NIST had pre- 
sented for public review a few weeks prior. This workshop had a 
particular emphasis on issues that had been identified from the ini- 
tial work by the public. NIST has gained a consensus on several 
elements that the framework will include, allowing it to become 
adaptable, flexibility, and scalable, and to be put into use. 

In October, we will have a preliminary framework that builds on 
these elements. 

After the yearlong effort envisioned in the Executive Order, once 
we have developed this initial framework, the effort will continue. 
For example, NIST will work with the specific sectors in DHS to 
build strong, voluntary programs to implement the framework in 
critical infrastructure areas. That work will then inform the needs 
of critical infrastructure in the next versions of the framework. 

The goal at the end of this process will be for industry to take 
ownership of the process and update the Cyhersecurity Framework 
themselves, ensuring that the framework will be dynamic and rel- 
evant as it continues to evolve. 

We have made significant progress. We still have a lot of work 
to do, and I look forward to working with this committee and with 
everyone who is participating in the framework process to address 
the challenges. 

And I look forward to the questions and discussion that we will 
have. Thank you. 

[The prepared statement of Dr. Gallagher follows:] 

Prepared Statement of Dr. Patrick D. Gallagher, Under Secretary of 

Commerce for Standards and Technology and Director, National 

Institute of Standards and Technology, United States Department of 

Commerce 

Introduction 

Chairman Rockefeller, Ranking Member Thune, members of the Committee, I am 
Pat Gallagher, Director of the National Institute of Standards and Technology 
(NIST), a non-regulatory bureau within the U.S. Department of Commerce. Thank 
you for this opportunity to testify today on NIST’s role under the President’s Execu- 
tive Order 13636, “Improving Critical Infrastructure Cyhersecurity” and NIST’s re- 
sponsibility to develop a framework to reduce cyber risks to critical infrastructure. 
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I want to acknowledge and thank this Committee for its leadership and support on 
this issue. 

The Role of NIST in Cybersecurity 

NIST’s mission is to promote U.S. innovation and industrial competitiveness by 
advancing measurement science, standards, and technology in ways that enhance 
economic security and improve our quality of life. Our work in addressing technical 
challenges related to national priorities has ranged from projects related to the 
Smart Grid and electronic health records to atomic clocks, advanced nanomaterials, 
and computer chips. 

In the area of cybersecurity, we have worked with Federal agencies, industry, and 
academia since 1972 starting with the development of the Data Encryption Stand- 
ard. Our role to research, develop and deploy information security standards and 
technology to protect information systems against threats to the confidentiality, in- 
tegrity and availability of information and services, was strengthened through the 
Computer Security Act of 1987 and reaffirmed through the Federal Information Se- 
curity Management Act of 2002. 

Consistent with this mission, NIST actively engages with industry, academia, and 
other parts of the Federal Government including the intelligence community, and 
elements of the law enforcement and national security communities, coordinating 
and prioritizing cybersecurity research, standards development, standards conform- 
ance demonstration and cybersecurity education and outreach. 

Our broader work in the areas of information security, trusted networks, and soft- 
ware quality is applicable to a wide variety of users, from small and medium enter- 
prises to large private and public organizations, including Federal Government 
agencies and companies involved with critical infrastructure. 

Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” 

On February 13, 2013, the President signed Executive Order 13636, “Improving 
Critical Infrastructure Cybersecurity,” which gave NIST the responsibility to de- 
velop a framework to reduce cyber risks to critical infrastructure (the Cybersecurity 
Framework). The Executive Order directed NIST to work with industry and develop 
the Cybersecurity Framework and the Department of Homeland Security (DHS) will 
establish performance goals. DHS, in collaboration with sector-specific agencies, will 
support the adoption of the Cybersecurity Framework by owners and operators of 
critical infrastructure and other interested entities through a voluntary program. 

Our partnership with DHS drives much of our effort. Earlier this year, we signed 
a Memorandum of Agreement with DHS to ensure that our work on the Cybersecu- 
rity Framework and the development of cybersecurity standards, best practices, and 
metrics, is fully integrated with the information sharing, threat analysis, response, 
and operational work of DHS. We believe this will enable a more holistic approach 
to address the complex challenges we face. 

A Cybersecurity Framework is an important element to address the challenges of 
improving the cybersecurity of our critical infrastructure. A NIST-coordinated and 
industry-led Framework will draw on standards and best practices that industry al- 
ready develops and uses. NIST ensures that the process is open and transparent to 
all stakeholders including industry, state and local government and academia, and 
ensures a robust technical underpinning to the Framework. This approach will sig- 
nificantly bolster the Cybersecurity Framework to industry. 

This multi-stakeholder approach leverages the respective strengths of the public 
and private sectors, and helps develop solutions in which both sides will be invested. 
The approach does not dictate solutions to industry, but rather facilitates industry 
coming together to offer and develop solutions that the private sector is best posi- 
tioned to embrace. It also ensures tbe framework is flexible enough to be applicable 
to small and mid-sized entities. 

I would also like to note that this is not a new or novel approach for NIST. We 
have utilized similar approaches in the recent past to address other pressing na- 
tional priorities. For example, NIST’s work in the area of Cloud Computing tech- 
nologies enabled us to develop important definitions and architectures, and is now 
enabling broad Federal Government deployment of secure Cloud Computing tech- 
nologies. The lessons learned from this experience and others inform how we plan 
for and structure our current effort. 

Developing the Cybersecurity Framework 

The Cybersecurity Framework will consist of standards, methodologies, proce- 
dures and processes that align policy, business, and technological approaches to ad- 
dress cyber risks for critical infrastructure. Regulatory agencies will also review the 
Cybersecurity Framework to determine if current cybersecurity requirements are 
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sufficient, and propose new actions to ensure consistency. Independent regulators 
are also encouraged to do the same. 

This approach reflects both the need for enhancing the security of our critical in- 
frastructure and the reality that the bulk of critical infrastructure is owned and op- 
erated by the private sector. Any efforts to better protect critical infrastructure must 
be supported and implemented by the owners and operators of this infrastructure. 
It also reflects the reality that many in the private sector are already doing the 
right things to protect their systems and should not be diverted from those efforts 
through new requirements. 

Current Status of the Cyberseeurity Framework and Partnering with 
Industry 

NIST sees its role in developing the Cybersecurity Framework as partnering with 
industry and other stakeholders to help them develop the Framework. NIST’s 
unique technical expertise in various aspects of cybersecurity related research and 
technology development, and our established track record of working with a broad 
cross-section of industry and government agencies in the development of standards 
and best practices, positions us very well to address this significant national chal- 
lenge in a timely and effective manner. 

NIST’s initial steps towards implementing the Executive Order included issuing 
a Request for Information (RFI) this past February to gather relevant input from 
industry and other stakeholders, and asking stakeholders to participate in the 
Cybersecurity Framework process. Given the diversity of sectors in critical infra- 
structure, the initial efforts are designed to help identify existing cross-sector secu- 
rity standards and guidelines that are applicable to critical infrastructure. 

A total of 244 responses were posted on NIST’s website. Responses ranged from 
individuals to large corporations and trade associations and also included comments 
as brief as a few sentences on specific topics, as well as so comprehensive that they 
ran over a hundred pages. We published an analysis of these comments in May. 

NIST is also engaging with stakeholders through a series of workshops and events 
to ensure that we can cover the breadth of considerations that will be needed to 
make this national priority a success. Our first such session — held in April — initi- 
ated the process of identifying existing resources and gaps, and prioritized the 
issues to be addressed as part of the Framework. 

At the end of May, a second workshop at Carnegie Mellon University brought to- 
gether a broad cross-section of participants representing critical infrastructure own- 
ers and operators, industry associations, standards developing organizations, indi- 
vidual companies, and government agencies. This three-day working session, using 
the analysis of the RFI comments as input, was designed to identify and achieve 
consensus on the standards, guidelines, and practices that will be used in the 
Framework. 

Based on the responses to the RFI, conclusions from the workshops, and NIST 
analyses, the preliminary Framework is designed and intended: 

• To be an adaptable, flexible, and scalable tool for voluntary use; 

• To assist in assessing, measuring, evaluating, and improving an organization’s 
readiness to deal with cybersecurity risks; 

• To be actionable across an organization; 

• To be prioritized, flexible, scalable, performance-based, and cost-effective; 

• To rely on standards, guidelines and practices that align with policy, business, 
and technological approaches to cybersecurity; 

• To complement rather than to conflict with current regulatory authorities; 

• To promote, rather than to constrain, technological innovation in this dynamic 
arena; 

• To focus on outcomes; 

• To raise awareness and appreciation for the challenges of cybersecurity but also 
the means for understanding and managing the related risks; 

• To protect individual privacy and civil liberties; and 

• To be built upon national and international standards and other standards, best 
practices and guidelines that are used globally. 

Last week, NIST held its third workshop to present initial considerations for the 
Framework. This workshop had a particular emphasis on issues that have been 
identified from the initial work — including the specific needs of different sectors. 
During the workshop, NIST gained consensus on the elements of the Framework 
that include: 
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• A section for senior executives and others on using this Framework to evaluate 
an organization’s preparation for potential cybersecurity-related impacts on 
their assets and on the organization’s ability to deliver products and services. 
By using this Framework, senior executives can manage cybersecurity risks 
within their enterprise’s business plans and operations. 

• A User’s Guide to help organizations understand how to apply the Framework. 

• Core Sections to address: 

° Five major cybersecurity functions and their categories, subcategories, and in- 
formative references; 

° Three Framework Implementation Levels associated with an organization’s 
cybersecurity functions and how well that organization implements the 
Framework; and 

° A compendium of informative references, existing standards, guidelines, and 
practices to assist with specific implementation. 

At eight months, we will have a preliminary Framework that builds on these ele- 
ments. In a year’s time, once we have developed an initial Framework, there will 
still be much to do. For example, we will work with specific sectors to build strong 
voluntary programs for specific critical infrastructure areas. Their work will then 
inform the needs of critical infrastructure and the next versions of the Framework. 
The goal at the end of this process will be for industry itself to take “ownership” 
and update the Cybersecurity Framework. 

Conclusion 

The cybersecurity challenge facing critical infrastructure is greater than it ever 
has been. The President’s Executive Order reflects this reality, and lays out an am- 
bitious agenda focused on collaboration between the public and private sectors. 
NIST is mindful of the weighty responsibilities with which we have been charged 
by President Obama, and we are committed to listening to, and working actively 
with, critical infrastructure owners and operators to develop a Cybersecurity Frame- 
work. 

The approach to the Cybersecurity Framework set out in the Executive Order will 
allow industry to protect our Nation from the growing cybersecurity threat while en- 
hancing America’s ability to innovate and compete in a global market. It also helps 
grow the market for secure, interoperable, innovative products to be used by con- 
sumers anywhere. 

Thank you for the opportunity to present NIST’s views regarding critical infra- 
structure cybersecurity security challenges. I appreciate the Committee holding this 
hearing. We have a lot of work ahead of us, and I look forward to working with 
this Committee and others to help us address these pressing challenges. I will be 
pleased to answer any questions you may have. 


Patrick D. Gallagher 

Dr. Patrick Gallagher was confirmed as the 14th Director of the U.S. Department 
of Commerce’s National Institute of Standards and Technology (NIST) on Nov. 5, 

2009. He also serves as Under Secretary of Commerce for Standards and Tech- 
nology, a new position created in the America COMPETES Reauthorization Act of 

2010. Prior to his appointment as NIST Director, Gallagher had served as Deputy 
Director since 2008. 

Gallagher provides high-level oversight and direction for NIST. The agency pro- 
motes U.S. innovation and industrial competitiveness by advancing measurement 
science, standards, and technolo^. NIST’s FY 2013 budget includes $778.0 million 
in direct and transfer appropriations, an estimated $49.7 million in service fees and 
$120.6 million from other agencies. The agency employs about 3,000 scientists, engi- 
neers, technicians, support staff, and administrative personnel at two main locations 
in Gaithersburg, Md., and Boulder, Colo. NIST also hosts about 2,700 associates 
from academia, industry, and other government agencies, who collaborate with 
NIST staff and access user facilities. In addition, NIST partners with more than 
1,300 manufacturing specialists and staff at more than 400 MEP service locations 
around the country. 

Under Gallagher, NIST has greatly expanded its participation, often in a leader- 
ship role, in collaborative efforts between government and the private sector to ad- 
dress major technical challenges facing the Nation. NIST’s participation in these ef- 
forts stems from the agency’s long history of technical accomplishments and leader- 
ship in private-sector led standards-development organizations and in research 
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fields such as manufacturing engineering, cybersecurity and computer science, fo- 
rensic science, and building and fire science. Currently, he co-chairs the Standards 
Subcommittee under the White House National Science and Technology Council. 

Gallagher joined NIST in 1993 as a research physicist and instrument scientist 
at the NIST Center for Neutron Research (NCNR), a national user facility for neu- 
tron scattering on the NIST Gaithersburg campus. In 2000, he became group leader 
for facility operations, and in 2004 he was appointed NCNR Director. In 2006, the 
U.S. Department of Commerce awarded Gallagher a Gold Medal, its highest honor, 
for his leadership in interagency coordination efforts. 

Gallagher received his Ph.D. in physics at the University of Pittsburgh and a 
bachelor’s degree in physics and philosophy from Benedictine College. 

The Chairman. Thank you, sir. Thank you very much. 

Now Mr. Arthur W. Coviello, Jr. Did I get that right? 

Mr. Coviello. You did. 

The Chairman. Thank you. Who is Executive Chairman, RSA, 
The Security Division of EMC. That is a form of encryption. 

STATEMENT OF ARTHUR W. COVIELLO, JR., EXECUTIVE 
CHAIRMAN, RSA, THE SECURITY DIVISION OF EMC 

Mr. Coviello. Yes. We are the gold standard of encryption actu- 
ally. 

The Chairman. OK. 

Mr. Coviello. So thank you. Chairman Rockefeller and Ranking 
Member Thune and members of the Committee. I am pleased to 
have the opportunity to address you today regarding NIST’s part- 
nership with industry in the area of cybersecurity. 

RSA is a leading provider of not just encryption technology, but 
other security compliance and risk management solutions for orga- 
nizations worldwide. We do help the world’s leading organizations 
succeed in their efforts in IT infrastructure by solving their most 
complex and sensitive security challenges. 

Today’s hearing topic is one that is close to home for our com- 
pany. EMC and RSA have already enjoyed a close partnership with 
NIST. We work closely with Dr. Gallagher and his team on a num- 
ber of issues that are tightly linked to information security. Erom 
our vantage point as a provider of security solutions, RSA’s collabo- 
ration with NIST is at the heart of our collective goal of safe- 
guarding the world from an advanced and evolving cyber threat. 

NIST’s National Cybersecurity Center of Excellence Lab initia- 
tive offers U.S. companies a valuable opportunity to collaborate 
with NIST to address a range of security risks and privacy protec- 
tion imperatives. I repeat also “privacy protection imperatives.” 
With the goal of securing critical infrastructure, the center inspires 
technological innovation to find creative solutions to intractable 
and growing cyber security challenges. 

Of late, EMC and RSA, along with other private sector compa- 
nies, have appreciated the opportunity to work closely with NIST 
on implementing the President’s Executive Order. Through a col- 
laborative effort to develop a Cybersecurity Eramework for critical 
infrastructure, we have worked with stakeholders to explore the 
art of the possible to bring our nation to the cutting edge of 
cybersecurity. This collaboration between industry and NIST is a 
great example of what the public and private sectors can do to- 
gether and represents an important step in the right direction. 
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However, your legislation is still needed to create a more effec- 
tive, long-term partnership between the public and private sectors. 
So we applaud the Committee for its work to develop bipartisan 
legislation based on an industry-driven, voluntary approach. The 
Cybersecurity Act of 2013 complements the President’s executive 
order by codifying the important steps the administration has al- 
ready taken to protect critical infrastructure and gives Government 
and industry additional tools to bolster our cyber defenses. 

As efforts progress, we urge you to consider three key points. 

First, any successful cybersecurity effort should be industry-driv- 
en, as you have done. With the rapid pace of innovation, owners 
and operators of critical infrastructure are the ones best positioned 
to keep pace with the rapidly evolving, and sometimes equally in- 
novative, threat landscape. For this reason, standards and best 
practices should be nonprescriptive, nonregulatory, and technology 
neutral. Things move too fast. This legislation achieves those objec- 
tives by initiating a voluntary, industry-led standards development 
process that will build on the great work that is already being done 
in the private sector. This close and continuous coordination be- 
tween Government and industry is vital to the ongoing develop- 
ment of best practices to combat these ever-changing threats. A 
common understanding supported by NIST can enable us collec- 
tively to move farther and faster in our race against the threat ac- 
tors. 

Second, as we move forward, we must think not only of today’s 
threats but also of the cybersecurity challenges of the future. That 
is why we are pleased to see that the legislation includes provisions 
to increase cybersecurity research and to support the development 
of the cybersecurity workforce. Investments in cybersecurity edu- 
cation and workforce training today will develop the talent we need 
to strengthen our defenses for years to come. And I can tell you the 
shortage of skilled people in the industry is one of our most critical 
problems. 

I can also tell you with the rapidly evolving pace of technology 
adoption and all the great productivity that can be derived from 
implementing information technology, the attack surface is only 
going to expand dramatically. We will only be able to take advan- 
t^age of these great technology innovations if people have con- 
fidence. That is why the framework that is being developed in co- 
operation with the private sector and NIST is so important to our 
future; this will be an ongoing problem. 

And third, as both Chairman Rockefeller and Ranking Member 
Thune have pointed out, it is imperative that Congress address 
other key cybersecurity issues not under this committee’s jurisdic- 
tion. Removing barriers and promoting the safe and secure sharing 
of actionable threat intelligence between the public and private sec- 
tors will enhance our collective ability to mitigate future threats. 

Additionally, we must modernize Federal information security 
management, standardize breach notification, and streamline the 
acquisition of technology in order to create a positive business cli- 
mate, while improving our nation’s cybersecurity posture. 

So, once again, we thank Chairman Rockefeller and Ranking 
Member Thune for their dedication to advancing this important 
legislation. I strongly believe the actions undertaken by this com- 
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mittee and the bipartisan leadership of its members will set a posi- 
tive course for others in Congress to realize the urgency in address- 
ing this growing threat. As the Senate confronts the policy chal- 
lenges of cybersecurity, I have every confidence in industry’s ability 
to leverage its existing relationship with NIST to enhance the 
cybersecurity of our critical infrastructure. Under this committee’s 
leadership, we sincerely hope that Congress will act quickly to ad- 
dress this urgent threat to our national security. 

I look forward to working with you and your colleagues in Con- 
gress as this proposal advances. And again, I thank you for the op- 
portunity to be here today, and I look forward to your questions. 
Thank you. 

[The prepared statement of Mr. Coviello follows:] 

Prepared Statement of Arthur W. Coviello, Jr., Executive Chairman, RSA, 
The Security Division of EMC 


Introduction 

Chairman Rockefeller, Ranking Member Thune, and Members of the Committee, 
my name is Art Coviello and I am an Executive Vice President of EMC Corporation 
and Executive Chairman of RSA, The Security Division of EMC. Thank you for the 
opportunity to testify today regarding the National Institute of Standards and Tech- 
nology (NIST)’s work with industry in the area of cybersecurity. Today’s hearing 
topic is one that is close to home for our company. EMC and RSA have enjoyed a 
partnership with NIST that has spanned decades, and we are pleased to be working 
with them today to enhance our nation’s cybersecurity. 

RSA provides security, compliance, and risk management solutions for organiza- 
tions worldwide. We help the world’s leading organizations succeed by solving their 
most complex and sensitive security challenges, making it possible for them to safe- 
ly benefit from the tremendous opportunities of digital technology and the Internet. 
EMC Corporation is a global leader in enabling businesses and third-party providers 
to transform their operations and deliver Information Technology (IT) as a service 
through innovations in big data, cloud computing and data storage. 

The United States, like many other nations, is highly dependent upon IT. Every- 
thing from national security and intelligence, to commerce and business, to personal 
communications and social networking depends on networked systems. The dynamic 
nature of this sector has created millions of jobs and generated significant economic 
growth. Every day, the Internet is increasing productivity; driving globalization and 
political change; and fueling every major industry and economy in the world. 

Unfortunately, that same dynamism has given rise to an ever-evolving cyber 
threat that threatens every individual, every company, every industry, and every 
country in the networked world. 

The recent rise in cyber attacks is nothing short of astounding. According to the 
Government Accountability Office (GAO), the number of cyber attacks reported by 
Federal agencies increased by 782 percent from Fiscal Year 2006 to Fiscal Year 
2012, from 5,503 to 48,562. ^ Clearly, our government is under attack, and those sta- 
tistics do not account for the daily intrusions private sector entities and private citi- 
zens are facing from a wide range of threat actors. 

As a provider of security solutions, we are seeing first-hand the rapid evolution 
of the threat landscape, with more varied targets, and in many cases, more ad- 
vanced technologies and tactics than ever before. This ever-increasing risk is threat- 
ening to erode trust in digital commerce, communication and collaboration on which 
we have all come to depend. 

I have been involved in the policy debates regarding information security and pri- 
vacy for a number of years, and I appreciate this Committee’s sustained leadership 
on these issues. Given its potential for loss and disruption, cybersecurity has become 
a vital economic and national security issue, and we applaud the Committee for its 
work to reach a bipartisan solution. 


iGAO, Cybersecurity: A Better Defined and Implemented Strategy is Needed to Address Per- 
sistent Challenges, GAO 13 462T (Washington, D.C.: March 7, 2013). 
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Partnership with NIST 

EMC and RSA have long enjoyed a close partnership with NIST on a number of 
issues that are closely linked to information security. As a provider of security solu- 
tions, RSA’s collaboration with NIST is at the heart of our collective goal of safe- 
guarding the networked world from an advanced and evolving cyber threat. NIST’s 
National Cybersecurity Center of Excellence (NCCoE) lab initiative offers U.S. com- 
panies a valuable opportunity to collaborate with NIST and the public sector to ad- 
dress a range of security risks and privacy protection imperatives. With a goal of 
securing critical infrastructure, the Center inspires technological innovation to find 
creative solutions to intractable cybersecurity challenges. 

Director Gallagher and the NIST team have been exceptional partners with indus- 
try. Since the President announced in February his Executive Order “Improving 
Critical Infrastructure Cybersecurity,” we have been working with other stake- 
holders and NIST to develop a voluntary framework for reducing cyber risks to crit- 
ical infrastructure that references standards, guidelines, and best practices to pro- 
mote the protection of critical infrastructure. We have also partnered with NIST in 
its NCCoE lab initiative to address a range of security risks in support of the Na- 
tional Cybersecurity Excellence Partnership (NCEP). As a public-private partner- 
ship, the NCEP offers U.S. companies the opportunity to form a long-term relation- 
ship with the NCCoE. Through a collaborative effort, participating companies work 
together to explore the “art of the possible” and bring our nNation to the cutting 
edge of cybersecurity. The NCCoE’s strategy is focused on and driven by the prac- 
tical cybersecurity needs of American businesses, which is a secure cyber infrastruc- 
ture that inspires technological innovation and fosters economic growth. 

Collaboration among innovators provides real-world cybersecurity capabilities that 
address business needs and help people secure their data and digital infrastructure 
by equipping them with practical ways to implement cost-effective, repeatable and 
scalable cybersecurity solutions. It also enables companies to rapidly adopt commer- 
cially-available cybersecurity technologies by reducing their total cost of ownership. 
Most importantly, it empowers innovators to creatively address businesses’ most 
pressing cybersecurity challenges in a state-of-the-art, collaborative environment.^ 

RSA’s “Archer” solution is one example this collaborative effort. Incorporated into 
the NCCoE’s geo-location and security profiling environments. Archer allows adap- 
tation to compliance requirements involving privacy, international safe harbor re- 
strictions and applications in the cloud. 

As a multinational corporation that operates in over 80 countries around the 
world, we favor global standards whenever possible. The use of international stand- 
ards is critical as we seek to meet the hroad needs of our user base, but these stand- 
ards must again be industry-led, voluntary and non-prescriptive. If developed in a 
transparent, flexible manner, international standards make it possible for global or- 
ganizations and their customers to continue to make improvements as needs 
change. 

Even so, we recognize that in some cases NIST must develop new standards for 
Federal Government nonclassified information systems. In these cases, we urge 
NIST to continue to work in an open, transparent process with stakeholder input. 
Here are a few examples of our ongoing engagement with NIST around standards 
development and use: 

• RSA’s ESAFE product is validated against FIPS 140-2 on a regular basis to en- 
sure our cryptographic implementations. It is our understanding that NIST 
made a significant contribution from their FIPS 140-2 work to the development 
of the complementary international standard for cryptographic modules.^ 

• NIST cited EMC’s contributions to a NIST Interagency Report on supply chain 
(NIST IR 7622) as we offered detailed, constructive suggestions over several 
years to improve the document.’^ 

• An RSA employee coauthored a (Draft) NIST Interagency Report: Trusted 
Geolocation in the Cloud: Proof of Concept Implementation (NIST IR 7904 
Draft).® 

• EMC works closely with our Federal customers to help them assess the risks 
of their new proposed information systems following the Federal Information 
Security Management Act (FISMA) process. The risk-based FISMA process. 


2 http: ! I csrc. nist.gov ! nccoe / The-Center / Mission I Strategy.html 

^ISO/IEC 19790: Information technology — Security techniques — Security requirements for 
cryptographic modules 

* http: 1 1 nvlpuhs.nist.gov / nistpuhs / ir 12012 j NIST.IR. 7622.pdf 
® http:! ! csrc.nist.gov I publications ! drafts ! ir7904 ! draft nistir 7904.pdf 
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which itself deserves further updating, is in turn anchored in NIST standards 
such as the recently updated NIST 800-53 Rev 4 security control catalog.® We 
appreciate that this new security catalog has a detailed mapping to two key 
international standards in wide industry use: ISO 27001'^ and The Common 
Criteria.® For the first time, this prominent U.S. Federal standard outlines con- 
trols for privacy along with security, a key linkage that we were pleased to see 
acknowledged in your draft legislation. 

EMCIRSA as an Industry Leader 

In addition to our longstanding history working with NIST, EMC, and RSA have 
a proven track record as an industry leader in security. RSA has long recognized 
that cybersecurity is dynamic, and all stakeholders must continue to evolve our col- 
lective ability to counter cyber threats. In 1991, we responded to this new challenge 
by creating one of the largest security thought-leadership conferences in the world, 
RSA Conference. It is an annual industry event, which seeks to help drive the global 
information security agenda. Throughout its history, RSA Conference has consist- 
ently attracted the best and brightest in the field, creating opportunities for con- 
ference attendees to learn about IT security’s most important issues through first- 
hand interactions with peers, luminaries and both established and emerging compa- 
nies. As the IT security field continues to grow in importance and influence, RSA 
Conference, in conjunction with our many industry partners, plays an integral role 
in keeping security professionals across the globe connected and educated. 

EMC/RSA has demonstrated a longstanding commitment to improving our indus- 
try’s best practices, particularly in the secure development field. In 2007, EMC, 
along with other industry leaders, created the Software Assurance Forum for Excel- 
lence in Code (SAFECode) to define, promote and share best practices and guidance 
outlining how to build secure software. SAFECode represents the first coherent, 
user-friendly collection of industry best practices in the development space. Avail- 
able to the public free of charge, SAFECode’s best practice guidance documents out- 
line realistic approaches to secure development.® The SAFECode initiative has pro- 
duced a wealth of accumulated knowledge and shareable training materials that are 
being leveraged every day by developers to create software that is more secure than 
anything we have seen before. 

RSA knows first hand that no one is immune to the cyber threat. In 2011, RSA 
detected a targeted cyber attack on our systems. Certain information related to an 
RSA product had been extracted. We publicly disclosed the breach and immediately 
began working to develop and publish best practices and remediation steps, so that 
others could learn from our experience. We proactively reached out to thousands of 
customers across the public and private sectors to help them mitigate the effects of 
the breach. Further, we worked with the appropriate U.S. Federal government 
agencies, including NIST, and several information sharing and analysis centers 
(ISACs) to ensure broad communication of these best practices and remediation 
steps, as well as information about the attack. 

Our experience was not unique. Individuals, governments, and companies deal 
with threats every day from nation states, criminals, hacktivists, and rogue actors. 
We have made great strides in the security space, but there is much work left to 
be done. As Robert Bigman, former CISO of the Central Intelligence Agency (CIA), 
has stated, the United States is “exactly where the cyber criminals want us to be. 
They’re very happy with our current situation.” i® 

The cyber threats we collectively face are real and immediate, and there are a 
number of steps that must be taken to enhance our economic and national security. 

Implementing the President’s Exeeutive Order 

Recently, EMC and RSA, along with other private sector companies, have appre- 
ciated the opportunity to work closely with NIST on the implementation of the 
President’s Executive Order to Improve Critical Infrastructure Cybersecurity. 

This collaboration between industry and NIST is a great example of what the pub- 
lic and private sectors can do together and represents an important step in the right 
direction. However, legislation is still needed to create a more effective partnership 
between the public and private sectors. 


^http:! I nvlpubs.nist.gov I nistpubs I SpecialPublications I NlST.SP.800-53r4.pdf 
"^ISO/IEC 27001: Information technology-Security techniques-Information security manage- 
ment systems-Requirements 

®ISO/IEC 15408: Information technology — Security techniques — Evaluation criteria for IT se- 
curity 

® SAFECode.org/publications 

http : / / WWW. usnews.com / news ! articles 12012/12104 /former-cia-officer-united-states-lags- 
far-behind-in-cyber-security 
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Key Elements of the Draft Legislation 

We applaud the Committee for its work to develop bi-partisan legislation based 
on an industry-driven, voluntary approach. This legislation complements the Presi- 
dent’s Executive Order by codifying the important steps the Administration has al- 
ready taken to protect critical infrastructure and gives government and industry ad- 
ditional tools to bolster our cyber defenses. We are pleased to see that the draft bill 
requires a voluntary, non-regulatory process, enabling further collaboration between 
the public and private sectors to leverage non-prescriptive and technology-neutral, 
global cybersecurity standards for critical infrastructure. We also commend the 
Committee for including crucial provisions to support cyber research and develop- 
ment; increase awareness of cyber risks; and improve cybersecurity education and 
workforce training. 

As efforts progress, we urge you to consider a few key points: 

(1) Any successful cybersecurity effort must be industry-driven. 

With the rapid pace of innovation, owners and operators of critical infrastructure 
need the flexibility to keep pace with the rapidly-evolving and sometimes equally 
innovative threat landscape. For this reason, standards and best practices should 
be non-prescriptive, non-regulatory, and technology-neutral. This draft legislation 
achieves those objectives by initiating a voluntary, industry-led standards develop- 
ment process that will build on the great work that is already being done in the 
private sector. This close and continuous coordination between government and in- 
dustry is vital to the ongoing development of best practices to combat the ever- 
changing threats we all face. 

Collaborative efforts between government and industry have been similarly suc- 
cessful in addressing supply chain security issues. EMC has been an early adopter 
of industry best practices to strengthen the security of our supply chain and ensure 
the global integrity of our software and hardware development processes. EMC 
shared its experience in two SAFECode whitepapers on software integrity. As a 
leader in the security field, RSA has actively engaged with government and industry 
partners to develop global supply chain security standards. 

The following are a few examples of industry-led efforts to develop and implement 
security standards: 

The Common Criteria: The Common Criteria are a set of international com- 
puter security standards developed by governments that include Canada, 
France, Germany, the Netherlands, the United Kingdom and the United States 
through active engagement with industry. EMC/RSA has made substantial in- 
vestments over many years to certify many of our products against the Common 
Criteria, which are now recognized by 26 countries. U.S. policy should encour- 
age those countries that do not yet recognize The Common Criteria to follow 
suit as a baseline assessment and avoid separate, custom national evaluations 
in order to access their markets. 

Protection Profiles: Industry has taken the lead to contribute technical content 
related to supply chain evaluations against standard “Protection Profiles” for 
different classes of technology. This directly supports a strategy by The Com- 
mon Criteria Development Board and the National Security Agency (NSA)’s Na- 
tional Information Assurance Partnership (NIAP) unit to reorient product eval- 
uations towards protection profiles, many of which are also developed by indus- 
try. 

Open Trusted Technology Provider Standard (0-TTPS): In 2009, RSA’s Chief 
Technology Officer worked with the U.S. Department of Defense to launch a 
joint public-private initiative that led to a published global supply chain stand- 
ard in April 2013. The resulting standard. The Open Group’s 0-TTPS Standard 
for Mitigating Maliciously Tainted and Counterfeit Products addresses two of 
our most important threats. Earlier this month at their international con- 
ference, The Open Group’s Trusted Technology Forum awarded EMC for its 
“outstanding contribution” to this multi-year standard development process. The 
new, global 0-TTPS standard will have a measurable accreditation pro^am by 
year’s end, enabling compliance down into the technology supply chain. This 
non-prescriptive pilot program focuses on measuring the outcomes of practices, 
while giving each organization the latitude to determine how best to reach the 


SAFECode.org/publications 

i^ISO/IEC 15408: Information technology — Security techniques — Evaluation criteria for IT se- 
curity — Part 1: Introduction and general model 

13 Attp.7 / www.opengroup.org / news / press I open-group-releases-global-technology-supply-chain- 
security-standard 
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performance goals. This Open Group industry standards effort also has a formal 
liaison with ISO/IEC’s emerging standard on supplier relationships that has 
itself been developed with significant industry review and comments, 

(2) Public and private sector collaboration is essential to bolstering cybersecurity. 

EMC and RSA strongly support the bill’s aim of establishing more effective col- 
laboration between industry and government to address cybersecurity issues. We al- 
ready participate in two successful initiatives that we believe can serve as a model 
for future public-private partnerships in the cybersecurity field. 

At the national level, the Enduring Security Framework (ESF) is a partnership 
of senior industry and government executives to identify critical cyber 
vulnerabilities and mobilize experts to address the risks. At the regional level, the 
New England Advanced Cyber Security Center is a consortium of industry, govern- 
ment, and universities working together to share cyber threats and explore new 
areas of research required to improve our defenses. 

(3) Cybersecurity standards should be voluntary, non-prescriptive, and technology- 
neutral. 

The voluntary nature of the legislation is of paramount importance. While we sup- 
port the development of standards and best practices, we firmly believe that compa- 
nies should have the flexibility to determine for themselves how best to secure their 
networks. In this highly-innovative sector, companies need the flexibility to explore 
creative approaches and technologies. Government regulations cannot reasonably 
keep pace with innovation, and companies must be free to design and build secure 
products in a global environment as they see fit without government intrusion. This 
ensures ongoing technology innovation in a global marketplace, resulting in in- 
creased productivity, job creation, and economic growth. 

(4) Both government and the private sector must invest in increasing public aware- 
ness of the cyber threat. 

In today’s increasingly interconnected world, every individual has a role to play 
in enhancing cybersecurity. As we have seen, simple errors such as the use of weak 
passwords and poor cyber hygiene can have serious consequences. For this reason, 
we strongly support the legislation’s call for NIST to launch a cybersecurity aware- 
ness campaign. Increased awareness is our first line of defense against cyber at- 
tacks, and we applaud the Committee for recognizing this. As NIST undertakes this 
effort, there are a number of existing public-private partnerships upon which we can 
build. 

The National Cyber Security Alliance (NCSA) is a non-profit organization com- 
prised of captains of industry ranging from defense and IT companies to financial 
institutions and e-commerce providers to telecommunications companies and ISPs. 
Founded in 2001, the Alliance works with all levels of government to promote 
cybersecurity awareness. As one its founding members, EMC/RSA has been involved 
in this partnership since its inception and as the cybersecurity challenge has grown, 
so has the Alliance. 

In collaboration with its public sector partners, NCSA established National Cyber 
Security Month in October, which is designed to elevate and expand cybersecurity 
awareness programs. We appreciate the support of the President of the United 
States and the U.S. Congress in this effort, and we are pleased to see that the ini- 
tiative has grown year after year. The U.S. Department of Homeland Security 
(DHS) is a long-time participant and supporter of this public-private partnership as 
are multiple other Federal government agencies and many state and local govern- 
ments. 

NCSA has also partnered with the Anti-Phishing Working Group (APWG) and 
DHS to launch the Stop-Think-Connect awareness campaign; an effort we will con- 
tinue supporting actively to help grow its influence as a nationwide and multi-na- 
tional public awareness initiative. 

(5) As we move forward, we must think not only of today’s threats, but also of the 
cybersecurity challenges of the future. 

Today, thousands of cybersecurity positions remain unfilled in both the public and 
private sectors, simply because of a lack of qualified candidates. We are pleased to 


i^ISO/IEC 27036: Information technology — Security techniques — Information security for sup- 
plier relationships — Part 1: Overview and concepts 
15 www.staysafeoiiline.org 
^^http:/ I stopthinkconnect.org t 
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see that the draft legislation includes provisions to increase cybersecurity research 
and to support the development of the cybersecurity workforce. 

Title II of the draft legislation calls for a national cybersecurity research and de- 
velopment plan to be developed by the Office of Science and Technology Policy 
(OSTP) and the coordination of research and development activities at the National 
Science Foundation (NSF), NIST, other Federal agencies, academia, and the private 
sector. We believe the authorization of coordinated research will address gaps in 
knowledge that prevent the development of secure technologies. In addition, the 
Networking and Information Technology Research and Development (NITRD) pro- 
gram has been successful in supporting research on the science of cybersecurity and 
will enhance the continuation of innovative approaches to new technology. 

Title III of the draft bill supports efforts to prepare the cybersecurity workforce 
of tomorrow. Our young people are our greatest asset, but our students are falling 
behind in the crucial fields of science, technology, engineering and math. Invest- 
ments in cybersecurity education and workforce training today will develop the tal- 
ent we need to strengthen our defenses for years to come. 

As cyber threats continue to escalate at an alarming rate, we need to invest in 
building the cybersecurity workforce with the requisite skills to defend our systems 
and drive continued innovation. Two areas of investment are particularly important: 

Cyber security programs in post-secondary schools: To defend our networks, we 
will need to graduate more individuals with expertise in computer sciences, risk 
assessment, data mining, data visualization and analytics, digital forensics, and 
human behavior. Our colleges and universities must place an emphasis on pro- 
ducing graduates with the technical and cross-functional skills needed to defend 
against our cyber adversaries. The Federal government should support pro- 
grams at the college and university levels that graduate qualified cybersecurity 
professionals. One such example is the Scholarship for Service program, funded 
by NSF, NSA and DHS, which has produced cybersecurity professionals now 
working in both the public and private sectors. This and other successful gov- 
ernment-funded scholarship programs should be expanded to continue to grow 
the cyber workforce. 

Training, certification and accreditation programs to increase and maintain 
cybersecurity proficiency: In 2009, SAFECode members outlined a framework 
around secure engineering training that concluded that they could not suffi- 
ciently rely on colleges and universities to deliver graduates that could join the 
workforce without substantial, advanced company-led training. Consequently, 
government and private enterprises should provide increased cybersecurity 
training opportunities for their IT staff. The SANS Institute and the Inter- 
national Information System Security Certification Consortium (ISC2) and In- 
formation Systems Audit and Control Association (ISACA) provide education 
and certification programs that can be replicated and expanded to further de- 
velop the cyber workforce. 

In addition, new programs such as the U.S. Cyber Challenge and the National 
Initiative for Cybersecurity Education (NICE) should serve as models for future edu- 
cation programs. NICE has evolved from the Comprehensive National Cybersecurity 
Initiative, and extends its scope beyond the Federal workplace to include civilians 
and students in kindergarten through post-graduate school. The goal of NICE is 
to establish an operational, sustainable and continually improving cybersecurity 
education program to enhance the Nation’s security. These vitally important initia- 
tives are being put into place to identify, recruit and place the next generation of 
cybersecurity professionals. 

This effort will require significant investments today, but if these initiatives are 
implemented properly, our technological future is bright. We look forward to a time 
when government and industry work as true partners to combat cyber threats. We 
also look forward to having a skilled and savvy workforce that comes to the table 
understanding the threat landscape and best practices ready to apply their expertise 
in a rich economic environment. These cyber professionals will be the brightest and 
best-trained that we have ever seen, and they will develop innovative ways to com- 
bat the cyber threats more quickly and more creatively than we could ever dream 
of today. 


https: I / www.sfs.opm.gov ! 

SAFECode.org/publications 

i^For more information, go to the U.S. Cyber Challenge Website at: http: II workforce 
.cisecurity.org ! . 

^^http:! I csrc.nist.gov / nice I aboutUs.html 
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For all of the reasons noted above, this draft legislation represents an important 
step in the right direction, but there is more work yet to be done. 

Next Steps 

In order to effectively address cyber threats there must be an “innovative and co- 
operative approach between the private sector and the Federal government” and we 
need to collectively utilize expertise within both government and industry. As Com- 
mander of U.S. Cyber Command General Keith Alexander has said many times, “se- 
curing our nation’s network is a team sport.” Without strong public-private part- 
nerships and actionable cyber intelligence information sharing between government 
and industry, we will not be able to make the progress that is so desperately need- 
ed. Moving forward, we recommend two key next steps: 

(1) Government should explore additional opportunities to leverage public-private 
partnerships. 

We greatly appreciate NIST’s commitment to working with industry, and we be- 
lieve similar public-private partnerships should be explored. The public sector 
should further leverage information available from commercial services to paint a 
fuller picture of the threat landscape. 

For example, the RSA Anti-Fraud Command Center (AFCC) has worked globally 
with financial institutions, ISPs, law enforcement and other organizations to detect 
and shut down hundreds of thousands of phishing attacks since 2007.^^ 

Similarly, we have worked with industry-led Information Sharing Analysis Cen- 
ters (ISACs) that are partnering with government entities and law enforcement — 
such as the Financial Services ISAC — to provide timely and actionable information 
on cyber threats and attacks.^® Actionable information gained from these mecha- 
nisms and in other processes with industry is often as valuable as information from 
government sources. 

(2) It is imperative that Congress addresses other key cybersecurity issues not 
under this Committee’s jurisdiction. 

These include advancing the sharing of cyber threat intelligence between govern- 
ment and industry; establishing liability protections for entities that share threat 
information; and streamlining acquisition of technology. We urge the Congress to ex- 
amine ways to break down barriers to information sharing and create incentives for 
the public and private sectors to work together to safely and securely share real- 
time, actionable information about cyber threats. Linking the adoption of 
cybersecurity standards to incentives such as liability protection and streamlined ac- 
quisition of technology will create a positive business climate while improving our 
nation’s cybersecurity posture. 

We also support additional legislative initiatives to update criminal laws and pen- 
alties; enact Federal data breach law; modernize FISMA; and develop reasonable 
and effective policy approaches to supply chain protection that will not stifle innova- 
tion and competition. 

Conclusion 

We thank Chairman Rockefeller and Ranking Member Thune for their dedication 
to advancing this important legislation. I strongly believe the action undertaken by 
this Committee and the bipartisan leadership of its Members will set a positive 
course for others in Congress to realize the urgency in addressing this growing 
threat. As the Senate confronts the policy challenges of cybersecurity, I have every 
confidence in industry’s ability to leverage its existing relationship with NIST to en- 
hance the cybersecurity of our critical infrastructure. Under this Committee’s lead- 
ership, we sincerely hope that Congress will act quickly to address this urgent 
threat to our national security. 

Again, I thank you for the opportunity to be here today, and EMC and RSA look 
forward to working with you and your colleagues in Congress as this proposal ad- 
vances. 


http : / 1 365.rsaconference.com ! community / archive ! usa / blog ! 201 1 1021 17 j video-rsac-us- 
2011-keynote-the-department-of-defense-active-cyber-defense-and-the-secure-zone general-keith-h- 
alexander 

22For more information on the AFCC, see http:! I www.eme.com ! collateral ! solution-overview ! 
1 0580-afcc-sb.pdf 

23 For more information on the FS— ISAC’s information sharing practices and programs, see 
“Testimony of William B. Nelson, The Financial Services Information Sharing & Analysis Cen- 
ter” before the U.S. House of Representatives Financial Institutions and Consumer Credit Sub- 
committee, September 14, 2011. 
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The Chairman. Thank you, sir, very much. 

At 3:15, there will likely be a vote, and I just need to inform 
members of that because I just found out. That is what happens 
in the Senate. So we will just disappear. If we can stage it, we will 
do that so we keep the hearing going. 

All right. Mark Clancy, Managing Director, Technology Risk 
Management and Corporate Information Security Officer, The De- 
pository Trust & Clearing Corporation. Please, sir. 

STATEMENT OF MARK G. CLANCY, MANAGING DIRECTOR, 
T H E DEPOSITORY TRUST & CLEARING CORPORATION 
ON BEHALF OF THE AMERICAN BANKERS ASSOCIATION, 
FINANCIAL SERVICES ROUNDTABLE, AND SECURITIES 
INDUSTRY AND FINANCIAL MARKETS ASSOCIATION 

Mr. Clancy. Thank you. Chairman Rockefeller, Ranking Member 
Thune, and members of the Committee, thank you for scheduling 
today’s hearing on improving cybersecurity through the NIST and 
private sector partnership. 

My name is Mark Clancy and I am the Corporate Information 
Security Officer of the Depository Trust & Clearing Corporation, or 
DTCC. I also have leadership roles in the Financial Services Sector 
Coordinating Council and the Financial Services Information Shar- 
ing Analysis Center, which is the operational hub for information 
sharing in the financial sector. 

DTCC is participant-owned, governed, and serves the critical in- 
frastructure for the U.S. and global capital markets. DTCC pro- 
vides many services to the financial industry, but the easiest way 
to think about us is with one example. After a trade is executed 
on a stock exchange, we ensure that the shares move to the people 
who bought them and the money moves to the people who sold 
them. We do this across all the major exchanges in the United 
States, and in the aggregate, DTCC processed last year $1.6 quad- 
rillion in transactions and all of that occurred in cyberspace. 

Today I am testifying on behalf of the American Bankers Asso- 
ciation, the Financial Services Roundtable, the Securities Industry 
and Financial Markets Association who collectively represent a 
large segment of the financial services sector. We applaud and sup- 
port the goals of the bill crafted by the leadership of the Com- 
mittee. 

Researchers estimate there is $100 billion in annual loss to the 
U.S. economy and half a million jobs lost as a result of cyber crime 
and cyber espionage. 

The financial sector institutions perform risk assessments based 
on the types of attacks and threat actors that we are subjected to. 
We group threat actors into four categories: crime, hacktivism, es- 
pionage, and war. The threats from these groups range from theft 
of customer information or intellectual property through disrup- 
tions such as denial of service attacks to the destruction of systems 
and data. 

The financial services sector recognizes cybersecurity is a non- 
competitive area and is committed to working together to address 
this issue. A key organization in this partnership is the Financial 
Services Coordinating Council whose mission is to strengthen the 
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resiliency of the financial services sector against attacks and other 
threats of the Nation’s critical infrastructure. 

We appreciate and support the goals of S. 1353 for NIST to facili- 
tate the necessary private and public sector collaboration to estab- 
lish voluntary standards and best practices to better secure our na- 
tion from cyber attack. The sector believes strongly that to be suc- 
cessful, the collaboration must include the leadership in the private 
and public sector, as well as industry practitioners who address 
cybersecurity-related risks every day. The frameworks and stand- 
ards that are rooted in the global, real-world, real-time nature of 
the threat are those that will achieve the objectives of the Nation 
to reduce risk from cyber threats to critical infrastructure. 

The sector has participated in a number of NIST initiatives over 
the years and has found the organization to be ideal for the devel- 
opment of standards and collaboration. Supporting the develop- 
ment of the NIST Cybersecurity Framework has been a major ini- 
tiative of the sector. We provided comments to NIST with an em- 
phasis on the existing national and international regulatory frame- 
works that the sector currently complies with. We have actively 
participated in the workshops and are appreciative of the efforts by 
NIST to seek the sector’s input on specific topics and to understand 
how the Cybersecurity Framework will be used by our sector. 

The Committee bill incorporates this collaborative effort, and we 
hope to see swift passage of the bill. I wanted to highlight four 
major issues of interest in the bill to the financial services sector. 

One, NIST as the Government organization with the responsi- 
bility to develop standards. 

Two, increasing research and development for the design and 
testing of software. 

Three, educating the workforce and preparing students for future 
technical roles. 

And four, promoting a national cybersecurity awareness cam- 
paign. 

There are two additional points Congress should consider as this 
bill is finalized. 

First, we strongly encourage the research agenda to include the 
evaluation of risk management through the supply chain. This will 
improve the resilience of all sectors by detecting and defending 
against software and hardware components that have been tam- 
pered with during the production, shipment, and through the inter- 
national supply chain process. 

Second, in addition to this bill, we encourage the Senate to intro- 
duce and pass legislation that would enhance the ability of the pri- 
vate sector and Government to share cyber threat information 
while providing the necessary privacy protections for individuals. 

On behalf of the American Bankers Association, the Financial 
Services Roundtable, the Securities Industry and Financial Mar- 
kets Association, along with DTCC, I would like to thank you for 
holding today’s hearing to continue to raise awareness on this crit- 
ical issue and for inviting us to testify. I would be happy to address 
any questions that you may have. 

[The prepared statement of Mr. Clancy follows:] 
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Prepared Statement of Mark G. Clancy, Managing Director, The Depository 

Trust & Clearing Corporation On behalf of the American Bankers 

Association, Financial Services Roundtable, and Securities Industry and 

Financial Markets Association 

Chairman Rockefeller, Ranking Member Thune, and members of the Committee, 
thank you for scheduling today’s hearing on improving cybersecurity through the 
NIST and private sector partnership. 

My name is Mark Clancy, and I am the Corporate Information Security Officer 
at The Depository Trust & Clearing Corporation (“DTCC”). I also serve on the Exec- 
utive Committee of the Financial Service Sector Coordinating Council and as the 
Vice Chairman of the Financial Services Information Sharing and Analysis Center 
(FS-ISAC). 

DTCC is a participant-owned and governed cooperative that serves as the critical 
infrastructure for the U.S. capital markets as well as financial markets globally. 
Through its subsidiaries and affiliates, DTCC provides clearing, settlement and in- 
formation services for virtually all U.S. transactions in equities, corporate and mu- 
nicipal bonds, U.S. government securities and mortgage-backed securities and 
money market instruments, mutual funds and annuities. DTCC also provides serv- 
ices for a significant portion of the global over-the-counter (“OTC”) derivatives mar- 
ket. To provide insight into the criticality of DTCC’s role in the safe and efficient 
operation of the U.S. capital markets, in 2012, DTCC’s subsidiaries processed more 
than $1.6 quadrillion in securities transactions. 

Today, I am testifying on behalf of the American Bankers Association,^ Financial 
Services Roundtable,^ and the Securities Industry and Financial Markets Associa- 
tion 3 who collectively represent a large segment of the financial services sector. 

At the highest level, we applaud and support the goals of S. 1353, The 
Cybersecurity Act of 2013 introduced by the leadership of this Committee. In my 
testimony today I will address current cyber threats, the sector-led initiatives to de- 
fend against these threats and the ways in which the Committee bill supports those 
efforts. Finally, I will stress the continued importance of crafting a more robust 
threat information sharing environment, particularly across our critical infrastruc- 
ture. 

Current Cyber Threat 

According to McAfee and the Center for Strategic and International Studies 
(CSIS), there is an estimated $100 billion annual loss to the U.S. economy and as 
many as 508,000 U.S. jobs lost as a result of cybercrime and cyber espionage. 

For the financial services industry, cyber threats are a constant reality and a po- 
tential systemic risk to the industry. Our markets and financial networks are predi- 
cated on trust and confidence. The trusted transfers and transactions that occur 
hundreds of millions of times a day are a fundamental prerequisite for modern cap- 
ital markets, investors, consumers, and governments to conduct business and drive 
economic growth. 

Given the reliance on technology and the importance of for trust in the sector, in- 
dividual institutions, and the industry as a whole perform risk assessments based 
on the types of attacks and threat actors they are subject to. The industry groups 
threat actors into four categories — Crime, Hacktivism, Espionage and War. 

Crime — The motivation of these groups is financial gain. The threat intensity 
of these groups varies based on two factors: the capabilities of the actors and 
the vulnerabilities of the targets. While organizations are continually assessing 
and addressing potential gaps in their systems, criminals are just as quickly ac- 
quiring new technical skills and capabilities through a sophisticated cyber black 
market 


iThe American Bankers Association (ABA) represents banks of all sizes and charters and is 
the voice for the Nation’s $14 trillion banking industry and its two million employees. 

2 The Financial Services Roundtable (FSR) represents 100 of the largest integrated financial 
services companies providing banking, insurance, and investment products and services to the 
American consumer. Member companies participate through the Chief Executive Officer and 
other senior executives nominated by the CEO. Roundtable member companies provide fuel for 
America’s economic engine, accounting directly for $98.4 trillion in managed assets, $1.1 trillion 
in revenue, and 2.4 million jobs. 

^The Securities Industry and Financial Markets Association (SIFMA) brings together the 
shared interests of hundreds of securities firms, banks and asset managers. SIFMA’s mission 
is to support a strong financial industry, investor opportunity, capital formation, job creation 
and economic growth, while building trust and confidence in the financial markets. SIFMA, with 
offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial 
Markets Association (GFMA). 
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Hacktivism — The term hacktivism is applied to groups or individuals who use 
computer intrusion or “hacking” techniques to promote and publicize an often 
radical political or cultural point of view. The most recent example of hactivism 
has been the distributed denial of services (DDoS) attacks for which the Cyber 
Fighters of Izz ad-din A1 Qassam have claimed credit. These attacks against 
large financial institutions began in 2012 allegedly to protest the posting of the 
“Innocence of Muslims” video on YouTube. This group, like virtually all 
hacktivists, is not motivated by financial gain — it wants to make a high-profile 
political statement. The capabilities of hacktivists vary greatly, although it is 
common to find a few highly-skilled individuals operating in loose confederation 
with lesser-skilled, but highly-motivated actors. 

Espionage — The term cyber espionage was coined to reflect the “spy vs. spy” ac- 
tivity that has occurred between nations. However, cyber espionage has ex- 
panded in recent years beyond attempts to steal national secrets to now include 
cyber theft of proprietary information from corporations in an effort to gain an 
economic and competitive advantage over the commercial interests of a country. 
War — This generally refers to the launch of a cyber-missile or some other cyber 
weapon of mass destruction to devastate the capabilities of a government or cor- 
poration by causing a physical system to fail or to gain control over that system. 
Today, as many as 30 countries have cyber war units to protect and defend 
against such an attack, according to former Secretary of Defense Leon Panetta, 
who also oversaw a cyber-command center comprised of Army, Navy, and Air 
Force personnel. In addition, some countries are developing units to promote or 
instigate this type of warfare. 

The universe of threat actors, regardless of the category into which they fall, pose 
a significant and growing danger to the sector. These threats range from theft, to 
disruption and destruction. 

Theft — ^Actions resulting in the theft of customer, proprietary, or confidential 
data or information. The loss of essential account information has the potential 
to put the public in harm’s way for fraud and identity theft. If the crimes hap- 
pen regularly, confidence in the sector could erode. The theft of a customer’s ac- 
cess credentials when stolen via malicious software installed on the individual’s 
computer is particularly dangerous because that customer faces the potential 
loss of his or her funds and assets. 

Disruption — ^Actions intended to cause disruptions to systems and operations, 
den3dng authorized users access to the affected systems. For example, in the 
previously mentioned DDoS attacks against the sector, hacktivists successfully 
blocked or otherwise limited the availability of certain consumer-facing websites 
for brief periods, but did not impact any institution’s internal or critical func- 
tions. In the future, more severe cyber attacks could attempt to target these in- 
ternal, critical functions. 

Destruction — ^Actions intended to compromise the integrity of or cause the de- 
struction of data and systems. 

Financial firms take extreme precautions to guard against these three main types 
of incidences that could impact the integrity of customer or institutional data. Not 
only is this an issue addressed by individual institutions’ risk management func- 
tions, but also an issue that has interest by executive leadership to increase the in- 
vestment in this critical space. 

The Systemic Impact of Cyber Attaeks on DTCC 

As mentioned earlier, DTCC serves as the critical infrastructure for global finan- 
cial markets. As a result, the organization brings a dual perspective to its view of 
the cyber risk environment and its impact on critical infrastructure. First, DTCC 
must examine and plan for cyber attacks that could impact its ability to perform 
clearance and settlement and other critical post-trade processes that underpin the 
global financial marketplace. Second, because of the interconnectedness of the finan- 
cial system, DTCC must also take into account the broader systemic risks that could 
result from a cyber attack on its systems. 

The global financial system is an enormous, interconnected “system of systems.” 
In other words, while individual institutions operate different parts of the critical 
infrastructure, the financial system itself is a product of the interactions of all these 
discrete actions. Because DTCC is connected to thousands of different market par- 
ticipants spanning the entire financial services industry globally, the organization 
must look beyond how a cyber attack could harm its own operations to the systemic 
impact on its members and the broader financial community. For example, if DTCC 
is unable to complete clearance and settlement due to systems disruptions or out- 
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ages, buyers and sellers of securities would not know if their trades had completed 
and, therefore, what securities they own or how much capital they have. 

DTCC’s financial risk and operational assessments must take into account these 
essential functions and determine how non-performance would impact the markets 
it serves as well as the firms that utilize its products and services, the investing 
public and the U.S. economy. In other words, if a cyber attack directed at DTCC, 
or other critical financial market infrastructure, rendered its systems non-oper- 
ational, what would that do to the overall functioning of the financial system? If the 
financial markets could not operate, how would that affect liquidity and access to 
capital? This systemic view of cyber risk has driven DTCC to broaden its perspective 
on cybersecurity to include consideration of ways to mitigate low frequency but po- 
tentially high-impact scenarios that a monoplane risk assessment would have ig- 
nored. 

DTCC maintains an elaborate and sophisticated information security program to 
protect against the types of cyber attacks mentioned above. This includes ongoing 
collaborative efforts with the private and public sectors. The financial services in- 
dustry is currently engaged in a variety of public-private partnerships with the Fed- 
eral government to protect against cyber threats and safeguard the Nation’s critical 
market infrastructure. 

Sector-Led Initiatves 

The financial services sector recognizes the risks, views cybersecurity as a non- 
competitive area and works together to identify potential threats and techniques to 
mitigate them. A key organization to this coordination is the Financial Services Sec- 
tor Coordinating Council (“Council”), whose mission is to strengthen the resiliency 
of the financial services sector against cyber attacks and other threats to the Na- 
tion’s critical infrastructure. The organization’s leadership is comprised of industry 
utilities and operators, as well as industry associations, such as those on whose be- 
half I am testifying today. 

The Council is spearheading financial services participation in the discussions 
surrounding implementation of Presidential Executive Order 13636 — Improving 
Critical Infrastructure Cybersecurity through the involvement of the ABA as co- 
chair of the FSSCC Policy Committee and SIFMA as lead on the incentives efforts. 

The FSSCC Threat and Vulnerability Committee, co-chaired by the BITS’' divi- 
sion of FSR, discuss the evolving threat to identify sector initiatives for mitigation. 
The Committee also developed a methodology for identifying core infrastructure for 
the sector along with the Department of Treasury. 

The ABA, FSR and SIFMA are also collaborating with the U.S. Department of the 
Treasury, in concert with the Council, the Financial Services Information Sharing 
and Analysis Center and The Clearing House, in an effort to enhance the industry’s 
cybersecurity ecosystem. The effort has led to the development of an Action Plan 
of both short-and long-term improvements to the sector’s security posture focused 
on enhancing information sharing, increasing analysis, improving crisis manage- 
ment response and upgrades to core components of the cyber ecosystem. 

On July 18, the industry participated in Quantum Dawn 2, a cybersecurity exer- 
cise organized by SIFMA. Five hundred individuals from over 50 entities throughout 
the sector and government participated in this opportunity to run through their cri- 
sis response procedures, practice information sharing and refine protocols relating 
to a systemic cyber attack. Quantum Dawn 2 was executed on a simulation platform 
developed as a result of cybersecurity research funding from the Department of 
Homeland Security’s Science and Technology Directorate and was used in the exer- 
cise to simulate the U.S. equities markets. Participants are currently analyzing the 
findings to identify areas for improvement and best practices that will enable firms 
and the entire sector to better prepare for and defend against cyber threats. The 
exercise demonstrates the positive linkage between research and development in- 
vestments, such as simulation tools, and the ability to reduce cyber related risks 
through preparedness that could not have been accomplished using real world infra- 
structures. 

Lastly, some of these initiatives involve fundamental changes to the cyber eco- 
system. In December 2011, the ABA and FSR formed a new entity, fTLD Registry 
Services, LLC (fTLD), to apply for and run industry-related top-level domains. This 
decision was predicated upon an announcement by the Internet Corporation for As- 
signed Names and Numbers (ICANN) to allow for an unlimited number of top-level 


’'BITS, as the technology policy division of the Financial Services Roundtable, addresses 
issues at the intersection of financial services, technology and public policy, where industry co- 
operation serves the public good, such as critical infrastructure protection, fraud prevention, and 
the safety of financial services. 
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domains (TLDs) beyond the 23 existing at the time {e.g., .com, .net and .org). fTLD’s 
goal is to represent the financial services community and to help assure that new 
TLDs related to the hanking and insurance communities will reduce industry risk 
and protect customers and institutions. In addition, fTLD helps develop sound Inter- 
net practices and standards and advocates for secure Internet policies. 

Legislation 

We appreciate and support the goals of S. 1353, The Cyhersecurity Act of 2013 
sponsored hy Senator Rockefeller and Senator Thune. If made into law, Title 1 of 
this hill would leverage the National Institute of Standards and Technology (NIST) 
to facilitate the necessary private and public sector collaboration to establish vol- 
untary standards and hest practices to better secure our Nation from cyber attacks. 

As discussed in detail above, the sector believes strongly in the importance of pri- 
vate sector leadership for responding to this threat. We also recognize the need for 
a partnership between the private sector and the government. The government 
plays a unique role in the protection of private sector companies. To be successful 
the collaboration needs to include the leadership in the private and public sector as 
well as the practitioners who address cyhersecurity related risks every day. The 
frameworks and standards that are rooted in the global, real world, and real time 
nature of the threat, are those that will achieve the objectives of the Nation to re- 
duce risk from cyber threats to critical infrastructure. 

The sector works closely with our government counterpart the Financial and 
Banking Information Infrastructure Committee (FBIIC). The FBIIC, led by Treas- 
ury and chartered under the President’s Working Group on Financial Markets, is 
charged with improving coordination and communication among financial regu- 
lators, enhancing the resiliency of the financial sector, and promoting the public/pri- 
vate partnership. Essential to the sector’s success is the public sector’s commitment 
to the public/private partnership outside of the already mature regulatory regime. 

The sector has participated in a number of NIST initiatives over the years and 
has found the organization to be ideal for the development of standards and collabo- 
ration. Most notably, the industry has been involved and continues to participate 
in the implementation of the National Strategy for Trusted Identities in Cyberspace 
(NSTIC). 

Participation in the development of the Cyhersecurity Framework by NIST has 
been a major initiative of the sector. We provided comments to NIST from the 
FSSCC with an emphasis on the existing national and international regulatory 
frameworks that the sector currently complies with. We have actively participated 
in the workshops and are appreciative of the specific efforts by NIST to seek the 
sector’s input on specific topics and understand how the Cyhersecurity Framework 
will be used by our sector. 

In addition to specif 3 dng NIST as the government organization with the responsi- 
bility to develop standards, the legislation would enable critical steps for increasing 
research and development for the design and testing of software, educating the 
workforce, preparing students for future technical jobs and promoting a national 
cyhersecurity awareness campaign. These are all critical issues to the financial serv- 
ices sector. 

There are two points for consideration as this bill moves forward. 

In the development of a research agenda, we strongly encourage you to include 
the evaluation of risk management throughout the supply chain. It is important for 
all sectors to improve their ability to detect and defend against software and hard- 
ware components that have been tampered with during production, shipment and 
throughout the international supply chain process. This recommendation is based on 
research and discussion done by the sector in the development of the Council’s re- 
search and development agenda®. 

In addition, as the NIST Director establishes a cyhersecurity awareness and pre- 
paredness campaign, we encourage the Director to analyze and leverage the work 
already underway by the National Cyber Security Alliance. This organization, sup- 
ported by a number of sectors and government partners, developed the Stop. Think. 
Connect, campaign to encourage a shared responsibility across enterprises and indi- 
viduals for securing the Internet. 

Need for Information Sharing Legislation 

We encourage the passage of the S. 1353, The Cyhersecurity Act of 2013. In addi- 
tion, we encourage the Senate to introduce and pass legislation that would enable 


^http:! I www.fsscc.org I fsscc I news 1 2013 1 FSSCC%20RD%20Agenda%20April%2024%202013 
.pdf 
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increased cyber threat information sharing between the private sector and govern- 
ment, while providing the necessary privacy protections for individuals. 

Our sector works collaboratively with our government partners to: 

• Prepare for cyber attacks by collecting, analyzing and disseminating threat in- 
formation to the extent currently feasible, assessing systemic risks, and con- 
ducting joint exercises. 

• Stay ahead of adversaries and reduce the number of incidents by anticipating 
threats, implementing countermeasures and addressing critical vulnerabilities. 

• Identify incidents as they occur by implementing key controls that would im- 
prove our ability to detect and block cyber attacks at “net speed”. 

• Respond to incidents in the manner that will reduce the impact and risk to the 
financial institution and the sector. 

• Improve security posture, and minimize impact through robust forensics, inves- 
tigations and learned capability. 

Given the interconnected nature of cyberspace, institutions recognize that the 
strongest preparations and responses to cyber attacks require collaboration beyond 
their own companies. As a result, the sector has engaged in a number of collabo- 
rative efforts. Through the FS-ISAC, participants share threat information between 
financial institutions and the Federal government, law enforcement and other crit- 
ical infrastructure sectors. The FS-ISAC also has a representative for the sector on 
the National Cybersecurity and Communications Integration Center floor to provide 
the Department of Homeland Security (DHS) insight into the financial sectors 
issues and incidents and provide an additional fan out for information from DHS 
to the sector. 

Cyber attacks are not specific to the financial services sector, but are the concern 
of all targeted sectors, making it essential to be able to share threat information 
across sectors. Currently, we all experience attacks and work within our sectors as 
the law allows. Viruses, trojans and other malicious software may be written to tar- 
get a specific sector, but are often developed or leveraged to attack other sectors for 
additional purposes. Attackers are looking for methods to increase efficiency, so 
their ability to reuse these tools in attacks on multiple sectors accomplishes this 
goal. Our attackers share information related to their attacks. American businesses 
defending against cyber attacks need that same capability. The ability to share in- 
formation across sectors and with the government is necessary to effectively pre- 
pare, recognize and respond to attacks that hit across sectors. As our adversaries 
evolve, techniques become more complex, and coordinated attacks become common- 
place, we need to advance our ability to respond in a collective, coordinated fashion. 

The ability to share information more broadly is critical and foundational to our 
preparation for and response to future attacks. While we constantly review opportu- 
nities to improve the information shared within our industry, it is vital that our ef- 
forts also include sharing information across sectors and between the government 
and the private sector. Each company and public sector entity has a piece of the 
puzzle and an understanding of the threat. Our ability to share this information will 
greatly increase our ability to prepare and respond to threats. 

Conclusion 

On behalf of the DTCC and the financial services industry, I would like to thank 
you for holding today’s hearing to continue to raise awareness on this critical issue 
and for inviting us to testify. I would be happy to answer any questions. 

The Chairman. Thank you, sir. 

Dorothy Coleman is Vice President of Tax, Technology and Do- 
mestic Economic Policy of the National Association of Manufactur- 
ers. We welcome you. 

STATEMENT OF DOROTHY COLEMAN, VICE PRESIDENT, 
TAX, TECHNOLOGY AND DOMESTIC ECONOMIC POLICY, 
NATIONAL ASSOCIATION OF MANUFACTURERS 

Ms. Coleman. Chairman Rockefeller, Ranking Member Thune, 
and members of the Committee, thank you for the opportunity to 
appear today to testify on behalf of our nation’s manufacturers. 

My name is Dorothy Coleman. I am the Vice President of Tax, 
Technology and Domestic Economic Policy at the National Associa- 
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tion of Manufacturers, the Nation’s largest industrial trade associa- 
tion, representing small and large manufacturers in all industry 
sectors and in all 50 States. 

The NAM has enjoyed a close working relationship with the 
Committee for a number of years, and we appreciate your support 
and leadership on a number of issues that are important to our in- 
dustry, including cybersecurity. 

One of NAM’s top four goals is to ensure that manufacturers in 
the United States are the world’s leading innovators. Cybersecurity 
is key to achieving this goal. 

We support creating a voluntary, industry-led standards develop- 
ment process, strengthening the cybersecurity research and devel- 
opment strategy inside the Federal Government, creating a highly 
skilled cybersecurity workforce, and raising public awareness of 
cyber threats. The Cybersecurity Act of 2013 represents a sensible, 
bipartisan, nonregulatory approach and highlights the importance 
of moving forward on this issue. 

Manufacturers are entrusted with vast amounts of data through 
their relationships with customers, suppliers, and governments. 
They are responsible for securing the data, the networks on which 
the data run, and facilities and machinery they control. Manufac- 
turers are the owners, operators, and builders of our nation’s crit- 
ical infrastructure, ranging from energy plants to highways. They 
rely on technology to design, produce, and deliver products ranging 
from nanoscale electronic devices to fighter jets. 

The design, collaboration, and information that helped drive this 
innovation has moved almost exclusively online, exposing compa- 
nies to cyber thieves constantly attempting to penetrate networks 
and steal intellectual property to replicate products and designs 
and disrupt business activity and critical infrastructure. 

Manufacturers recognize they have to secure their networks, 
their controls, and their data. In a recent NAM membership sur- 
vey, 96 percent of respondents said they have ongoing efforts to 
strengthen their information technology networks and protect their 
IP. More than 90 percent of the respondents have upgraded their 
IT assets, and more than half have hired outside cybersecurity ex- 
perts. 

Thus, the NAM encourages the Federal Government to advance 
cybersecurity preparedness through increased collaboration and co- 
ordination with the private sector. Our top priority is allowing vol- 
untary sharing by the public and private sector of real-time threat 
information to allow manufacturers to better protect themselves 
from cyber threats. 

In addition, any cybersecurity initiative should protect personally 
identifiable information and civil liberties and not grant the Gov- 
ernment new authority in this realm or the ability to monitor or 
censor private networks. 

We oppose the creation of a static, regulatory-based government 
regime. Potential cyber threats change rapidly and manufacturers 
need the flexibility to pivot quickly and defend against these 
threats in real time. Time spent complying with outdated and bur- 
densome regulations will negatively impact manufacturers’ ability 
to protect their key assets. 
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Comments by NAM members to NIST reflect their belief that 
any cybersecurity framework should be voluntary, risk-based, and 
flexible enough to keep pace with ever-changing cyber threats. 
Most importantly, any threat information the Government can 
share with the private sector will be the most effective way to com- 
bat cyber threats. 

The framework also should act more as guidelines for best prac- 
tices and take into account the global presence of manufacturers 
and related international standards in place. A major concern is 
that the creation of any new set of standards, even if they are vol- 
untary, could lead to another regulatory regime and cause even 
more challenges to manufacturers. 

We are pleased that your legislation addresses many of these 
challenges, and we appreciate your balanced, nonregulatory ap- 
proach to reduce the risk of cyber threats based on a public/private 
partnership. The National Cybersecurity Research and Develop- 
ment Plan would further secure wireless technology, software sys- 
tems, and the Internet while guaranteeing individual privacy. 

We also support the creation of cybersecurity modeling and test 
beds to examine our capabilities and determine our needs. 

We appreciate your efforts to raise the priority of cybersecurity 
through all agencies. 

At the end of the day, however, the ability to receive real-time 
threat information remains manufacturers’ top priority and will be 
the most effective way to combat cyber threats. 

Manufacturers also realize that an ongoing partnership with the 
Federal Government is important. NAM members generally sup- 
port establishing NIST as a facilitator of industry-led discussions 
on standards, guidelines, and best practices. Many NAM members 
are participating in the NIST Cybersecurity Framework discus- 
sions. Those sessions have been productive and our members want 
the process to continue. 

At the same time, there are concerns that codifying NIST as the 
facilitator may somehow negatively impact the process or, even 
worse, give NIST the authority to recommend binding regulations. 
As noted before, manufacturers will not support any legislation 
that creates a new, overly burdensome regulatory regime. 

Thus, we are pleased that creating new regulations is neither the 
intent or the goal of your legislation. We appreciate that your bill 
specifies that any recommended standards will be voluntary and 
will not prescribe specific technology solutions, products, or serv- 
ices. 

In conclusion, manufacturers’ ability to protect their products, 
processes, facilities, and customers is critical for their continued 
success and the broader economic security of the Nation. Your bill 
represents a good first step in assisting manufacturers in their on- 
going efforts to reduce their cyber risk. 

Thank you for the opportunity today to appear before you. The 
NAM looks forward to working with the Committee as the process 
moves forward. Thank you. 

[The prepared statement of Ms. Coleman follows:] 
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Prepared Statement of Dorothy Coleman, Vice President, Tax, Technology 
AND Domestic Economic Policy, National Association of Manufacturers 

Chairman Rockefeller, Ranking Member Thune and members of the Committee, 
thank you for the opportunity to appear today to testify on behalf of our nation’s 
manufacturers on “The Partnership Between NIST and the Private Sector: Improv- 
ing Cybersecurity.” 

My name is Dorothy Coleman, and I am the Vice President of Tax, Technology 
and Domestic Economic Policy at the National Association of Manufacturers (NAM), 
the Nation’s largest industrial trade association, representing small and large man- 
ufacturers in every industrial sector and in all 50 states. We are the voice of 12 mil- 
lion manufacturers in America. 

The NAM has enjoyed a close working relationship with the Committee for a 
number of years. Mr. Chairman, we appreciate your unwavering support for the 
Hollings Manufacturing Extension Partnership, which has proved invaluable for 
small manufacturers in West Virginia and around the country working to develop 
the next breakthrough manufacturing technology. Thank you, too, for your leader- 
ship on spectrum issues, which are critically important to the many manufacturers 
that use wireless technology in their businesses. 

Ranking Member Thune, the NAM and our members have worked closely with 
you on multiple issues. You have been a strong advocate for the close to 40,000 
manufacturing employees in South Dakota on both tax and trade issues. We look 
forward to continuing our working relationship with you on cybersecurity and the 
other legislative priorities for manufacturers. 

Cybersecurity has been a focus of this committee in recent years. On behalf of our 
nation’s manufacturers and all those who want to ensure the protection of our crit- 
ical assets and intellectual property (IP) and to work together with the Government 
to achieve this goal, I am pleased to testify on the Cybersecurity Act of 2013 and 
to discuss the partnership between the National Institute of Standards and Tech- 
nology (NIST) and the private sector. 

Overview 

Manufacturing remains an important economic force in the United States, rep- 
resenting 12 percent of the U.S. economy. Nonetheless, despite the critical role the 
industry plays in the economy, taxes, legal costs, energy prices and burdensome reg- 
ulations make it 20 percent more expensive to manufacture in the United States 
than in any other country. 

The NAM’s Growth Agenda: Four Goals for a Manufacturing Resurgence in Amer- 
ica is a comprehensive plan to address these challenges, unleashing the economy 
and manufacturing’s outsized multiplier effect. The Growth Agenda makes the case 
for pro-growth polices to ensure that: 

• The United States will be the best place in the world to manufacture and at- 
tract foreign direct investment; 

• Manufacturers in the United States will be the world’s leading innovators; 

• The United States will expand access to global markets to enable manufactur- 
ers to reach the 95 percent of consumers who live outside our borders; and 

• Manufacturers in the United States will have access to the workforce that the 
21st century economy demands. 

Manufacturers recognize that we face very specific challenges in achieving these 
goals. In particular, in pursuing our goal to be the world’s leading innovators, our 
industry faces constant threats from nefarious actors in cyberspace attempting to 
access our IP and operations unlawfully. These threats endanger our continued eco- 
nomic growth and safety of our citizens. 

Thus, the NAM believes that we need to develop appropriate general and indus- 
try-specific best practices for improved cybersecurity. In formulating cybersecurity 
policy, we support a public-private partnership that draws on industry best prac- 
tices. 

The cybersecurity debate has moved forward significantly this year, and the busi- 
ness community has the leadership of you, Mr. Chairman, and Ranking Member 
Thune to thank for that. Your bill represents a sensible, bipartisan, non-regulatory 
approach to an issue of utmost importance to the manufacturing industry. Manufac- 
turers support creating an industry-led, voluntary standards development process, 
strengthening the cybersecurity research and development strategy inside the Fed- 
eral government, creating a high-skilled cybersecurity workforce and raising public 
awareness of cyber threats. 

The introduction of this bill has also effectively signaled to the business commu- 
nity and to your Senate colleagues the importance of moving this issue forward. 
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There are a number of additional issues that other committees need to debate, but 
we are pleased with the steps you have taken. 

Manufacturers and Cybersecurity 

Manufacturers are entrusted with vast amounts of data through their comprehen- 
sive and connected relationships with customers, vendors, suppliers and govern- 
ments. They are responsible for securing the data, the networks on which the data 
run and the facilities and machinery they control at the highest priority level. 

In addition, manufacturers are the owners, operators and builders of our nation’s 
critical infrastructure. They manufacture and use the temperature controls regu- 
lating the grain silos that store our nation’s food supplies. They build and manage 
the systems operating the traffic signals that govern the rules of the road. Manufac- 
turers make technology products ranging from nanoscale electronic devices to fight- 
er jets. They build and run the energy plants that power our homes and businesses 
and the heavy machinery exploring the oil and gas fields that make America com- 
petitive. 

In addition, manufacturers leverage technology to design, produce and deliver 
these products. Technology is also used to manage, monitor and secure key facilities 
and products, including trade secrets and patents. 

These products, controls, systems, patents, trade secrets and all other tools that 
differentiate manufacturers in the United States from their competitors are the 
envy of the world. The movement of design, collaboration and information that helps 
drive this innovation almost exclusively online has created a new vulnerability: ex- 
posure to cyber thieves that are constantly attempting to penetrate networks to 
steal this IP. This illegal activity allows bad actors to replicate products and designs 
and disrupt business activity and critical infrastructure. 

The stakes are high. What was once only the concern of businesses’ IT depart- 
ments has now become an important issue throughout manufacturing facilities, 
large and small. Leaders of manufacturing enterprises know they have to secure 
their networks, their controls and their data. In fact, in a recent NAM membership 
survey, 96 percent of respondents said they have ongoing efforts to strengthen their 
information technology networks and protect their IP to reduce their risk. More 
than 90 percent have upgraded their IT assets, and more than half have hired out- 
side cybersecurity experts. 

Manufacturers know the economic security of the United States is related directly 
to our cybersecurity. Given that our economic security is critical to our national se- 
curity, manufacturers are leaders in cyber defense and are working constantly to 
ensure their companies, products and customers are secure. 

Cybersecurity Policy 

During the cybersecurity debate in recent years, the NAM has been clear on what 
actions we believe the government should take to address current cyber threats 
most effectively. We have communicated our priorities to leaders in both the House 
and Senate and to the White House. I am pleased to share those with you again 
today, and I applaud you for addressing a number of these issues over which your 
committee has jurisdiction. 

NAM members value the strong partnership they have with the public sector and 
believe that partnership should extend to cybersecurity efforts. The NAM encour- 
ages the Federal government to advance cybersecurity preparedness through in- 
creased collaboration and coordination with the private sector. 

In particular, manufacturers’ top priority is allowing the voluntary sharing by the 
public and private sector of real-time threat information to allow manufacturers to 
better protect themselves from cyber threats. In contrast, under current law, the 
government is prohibited from sharing sensitive cyber threat information with the 
private sector. Manufacturers are hesitant to share information with the govern- 
ment due to liability uncertainty and exposure. Companies also are not permitted 
to share information freely with their peers. 

The NAM supported the Cyber Intelligence Sharing and Protection Act (CISPA) 
of 2013 (H.R. 624), which the House passed earlier this year. This legislation, if 
signed into law, will allow the government to share timely and actionable threat and 
vulnerability information with the private sector. Mr. Chairman, as a member and 
former chairman of the Senate Intelligence Committee, we encourage you to work 
with your colleagues on that panel to address the issue of information sharing. 

Manufacturers value the privacy of individuals and the need to protect personally 
identifiable information and civil liberties. We believe that any cybersecurity initia- 
tive the Federal government undertakes separately or in partnership with the pri- 
vate sector should place a premium on ensuring this information is secure. At the 
same time, it is important to ensure that any effort does not grant the government 
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any new authority in this realm or give the government the ability to monitor or 
censor private networks. 

Developing a Cyberseeurity Standards Framework 

The NAM believes that the public and private sector must partner closely to es- 
tablish the best way to defend against ever-changing cyber threats manufacturers 
face. We oppose, however, the creation of a static, regulatory-based regime. This ap- 
proach will not enhance cybersecurity — it will do just the opposite. 

The cyber threat that now confronts all entities in both the public and private sec- 
tor is commonly known as the “advanced persistent threat” or APT. Cyber hackers 
and thieves are changing their tactics every minute. Manufacturers need the flexi- 
bility to pivot quickly and defend against these threats in real time. Any mandatory 
regulations imposed on manufacturers will be obsolete the day they are published. 
The time spent complying and adjusting to outdated, burdensome and potentially 
duplicate regulations will negatively impact manufacturers’ ability to protect their 
key assets. 

Rather than develop mandatory regulations, the government should apply to the 
cybersecurity challenge the public-private partnership model that has been effective 
in other areas. While the Federal government has the resources to facilitate indus- 
try-led discussions on how best to defend against the APT, industry officials bring 
real-world expertise and experience unique to their segment. 

In fact, NAM member companies have been on the record in their comments to 
NIST and in their participation in the cybersecurity framework discussions around 
the country that implementing any framework should be on a voluntary company- 
by-company basis. The framework needs to be risk-based, and it must keep pace 
with ever-changing cyber threats. Most importantly, any threat information the gov- 
ernment can share with the private sector will be the most effective way to combat 
cyber threats. 

A one-size-fits-all approach to a standards framework will not be effective. Manu- 
facturers vary in size, come from a cross-section of diverse industry segments, have 
differing amounts of available resources and are exposed to external actors in dif- 
ferent ways. These factors all will play a role in how each manufacturer implements 
a cybersecurity strategy. Imposing a single regulatory model would result in little 
or no participation in the framework. Rather, the framework should act more as a 
guideline and advocate for best practices. The framework must also take into ac- 
count the global presence of manufacturers and all international markets in which 
they operate and the related international standards already in place. 

The most common theme we have heard from our members is that a number of 
standards already exist. A major concern is that the creation of any new set of 
standards — even if they are voluntary — could lead to another regulatory regime and 
cause even more challenges for manufacturers. Any framework NIST may develop 
must take into account existing standards already being followed by the private sec- 
tor. 

Cybersecurity Act of 2013, S. 1353 

The Cybersecurity Act of 2013, S. 1353, introduced yesterday addresses many of 
the challenges described above. Mr. Chairman and Ranking Member Thune, we ap- 
preciate your efforts to reach out to all stakeholders to create a balanced approach 
to reduce the risk of cyber threats to critical infrastructure based on a public-pri- 
vate partnership model. 

The legislation would create a national cybersecurity research and development 
plan to further secure wireless technology, software systems and the Internet, while 
guaranteeing individual privacy. The legislation would also create cybersecurity 
modeling and test beds to examine our capabilities and determine our needs. It does 
all of this while ensuring coordination across the government. We appreciate your 
efforts to raise the priority of cybersecurity throughout all agencies. 

Your bill also would place a priority on developing a high-skilled cybersecurity 
workforce. Through competitions, challenges and scholarships, it would create incen- 
tives to join this growing workforce at a time when our country needs it most. Most 
importantly, it would assess current skill sets and help determine what more is 
needed in curriculum and training to ensure we have the workforce we need. Manu- 
facturers are facing a skills shortage in many disciplines, and any effort to close 
that gap is one we support strongly. 

The national cybersecurity awareness and preparedness campaign has been well 
received by NAM members. Efforts to increase the cyber intelligence and cyber safe- 
ty of the public and state and local governments will benefit manufacturers as they 
hire the workers they need and as they operate in their communities. 
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We have heard the most from our member companies on Title I of the bill, Pub- 
lic-Private Collaboration on Cybersecurity. As I stated earlier in my testimony, the 
ability to receive real-time threat information remains manufacturers’ top priority. 
This will be the most effective way to combat cyber threats. Manufacturers realize 
that an ongoing partnership with the Federal government — in addition to informa- 
tion sharing — is also important. 

In addition, NAM members generally support establishing NIST as a facilitator 
of industry-led discussions on standards, guidelines and best practices among other 
efforts to reduce cyber risks to critical infrastructure. Many NAM members are par- 
ticipating in the NIST cybersecurity framework discussions underway. Those ses- 
sions have been productive, and our members want the process to continue. 

Nonetheless, they have some concerns about this approach. In particular, some 
companies are concerned that codifying NIST as the facilitator may somehow nega- 
tively impact the process, or even worse, give NIST the authority to recommend 
binding regulations. 

It is our understanding that creating new regulations is neither the intent nor the 
goal of the legislation. We appreciate that this is referenced specifically in the bill, 
which requires that any recommended standards are voluntary and will not pre- 
scribe specific technology solutions, products or services. The legislation is even 
more specific by citing that any information shared in the standards development 
process shall not be used to regulate any activity of the sharing entity. 

On behalf of the NAM’s 12,000 members, this is a point I cannot stress strongly 
enough — manufacturers will not support any legislation that creates a duplicative 
regulatory regime that puts undue burdens on manufacturers. We are, therefore, 
pleased that this legislation prohibits that from happening while at the same time 
solidifies the public-private partnership in efforts to address an issue of critical im- 
portance to our nation. 

Conclusion 

In our fast-moving, hyper-competitive 21st-century economy, cybersecurity is an 
issue of increasing importance to the manufacturing industry. The stakes are high 
for manufacturers and the rest of the business community. Manufacturers’ ability 
to protect their products, processes, facilities and customers is critical for their con- 
tinued success and the broader economic security of the Nation. The legislation the 
Committee is examining today represents a good first step in assisting manufactur- 
ers in their ongoing efforts to reduce their cyber risk. Manufacturers must and will 
continue to drive the process, and a partnership with the government is a key com- 
ponent of the effort. The NAM supports the goals of the legislation and appreciates 
the Committee’s efforts to address this important issue. Thank you for the oppor- 
tunity today to appear before you. The NAM looks forward to working with the 
Committee as the process moves forward. 

The Chairman. Thank you. 

I should inform our colleagues that the vote starts in about 3 or 
4 minutes. Senator Thune, I can stay. I will stay, or I will come 
back if I go vote. But if there are members, Senator Klobuchar or 
you, sir — if you cannot come back, then you may want to ask a 
question now. 

Senator Klobuchar? 

Senator Klobuchar. I will just ask one question here at the be- 
ginning. 

The Chairman. Actually, Heinrich comes before you. 

Senator Klobuchar. Well, there we go. 

[Laughter.] 

STATEMENT OF HON. MARTIN HEINRICH, 

U.S. SENATOR FROM NEW MEXICO 

Senator Heinrich. That rarely happens. 

Dr. Gallagher, I just wanted to ask you a quick question about 
how — ^you have expounded a lot in terms of the collaboration that 
you have with the private sector and how critical that is. How do 
you also learn from the other agencies and entities that you work 
with within the public sector who have specific expertise in this 
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area so that we can make sure that that then has a direct benefit 
on the private sector? And in particular, I know in my district you 
are very familiar with what Sandia does. They get about 20,000 to 
30,000 attacks an hour. What is the mechanism for making sure 
that what we learn from some of those things makes it out into the 
private sector where appropriate? 

Dr. Gallagher. So thank you. I do not know if you know — my 
father was a lifelong employee at Sandia National Labs and I have 
been out there looking at their cybersecurity work. 

You are exactly right. There are two actual roles of NIST. One 
is the technical depth, and we have talked about that. And that is 
so important in terms of providing a venue to work with the pri- 
vate sector and be neutral. 

But the other role of NIST is coordination of standards in the 
sense that we are sort of a corporate memory within the Federal 
Government about how to work with the private sector on various 
standard setting activities, whether it is Smart Grid in energy or 
whether it is cloud computing, or health care information systems. 

One of the other roles we have is a very natural collaboration 
role with the other Federal agencies. That has been a key part of 
this effort as well, working with a very broad range of agencies. 
You can imagine, given the definition of critical infrastructure, it 
is basically a very large group of agencies: Energy Department, 
Transportation, Department of Treasury, Homeland Security, our 
intelligence community, and so forth. So that is a key part. This 
is an “all hands on deck” effort. We want to bring as many smart 
people as we can into the effort. 

Senator Heinrich. Thank you. 

Thank you, Mr. Chairman. 

The Chairman. That is it? 

Senator Heinrich. Yes. 

The Chairman. Are you sure? OK. 

Senator Klobuchar? 

STATEMENT OF HON. AMY KLOBUCHAR, 

U.S. SENATOR FROM MINNESOTA 

Senator Klobuchar. Mr. Chairman, thank you so much for hold- 
ing this hearing on this incredibly important topic. 

I would like to underline the fact that cyber crime and espionage 
are resulting in major financial losses for American businesses. 
Last year. General Keith Alexander, the head of Cyber Command 
and the National Security Agency, said that they represent the 
largest transfer of wealth in human history. 

Recent reports by McAfee, the Center for Strategic and Inter- 
national Studies estimate that the toll of cyber crime is about $100 
billion per year. 

Under Secretary Gallagher, what is your best dollar figure esti- 
mate of the economic toll on American business due to cyber crime 
and espionage? 

Dr. Gallagher. I do not think I can improve on your estimate. 
So I will not hazard one. 

Senator Klobuchar. OK, very good. 

Do you think that there are enough incentives in place for the 
private sector to participate in NIST’s process for establishing 
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standards? Do you think the current incentives are sufficient, or do 
you think more needs to be done? 

Dr. Gallagher. So the view I have taken on the incentives ques- 
tion is that it is going to be easier to evaluate that when we are 
trying to put the framework into place. The framework is designed 
to be aligned with business. The goal here is to make good 
cybersecurity performance equivalent to good business practice. 
Therefore, the right way to look at the incentives question is to 
look at the friction as companies are trying to put this framework 
into place. It could be the business-to-business relationship, and we 
have talked about that. It could be about the risk sharing. It could 
be about the interaction between the private sector companies and 
the Government. And I think until we start getting some experi- 
ence with how this framework of practices starts to go in place, it 
is going to be difficult to guess which of the incentive issues are 
going to be most important. But I think the goal is to try to make 
this equivalent to good business. 

Senator Klobuchar. Anyone want to add anything else? 

Mr. CoviELLO. I would be happy to add to that. 

I think there is going to be a tremendous incentive to adopt this 
framework. As I said in my opening remarks, as companies adopt 
more and more technology to improve the productivity in their 
business operations, they are going to expose themselves more and 
more to these cyber threats. So, it will be a business imperative to 
have the ability to defend themselves. 

I think the level of not only awareness but understanding of the 
threat and the problem has risen dramatically in the last several 
years due to a number of well publicized attacks and the very fig- 
ures that you quote. So I think it is going to be a matter not only 
of a priority for businesses but one that could even provide com- 
petitive advantage by having the best cybersecurity regime pos- 
sible. 

Senator Klobuchar. Well, just along those lines, my last ques- 
tion is — I will put some more in the record. But one of the parts 
of this bill that I think is really important is the National 
Cybersecurity Awareness Campaign. Frameworks and voluntary 
standards are useless if our citizens do not practice cybersecurity 
at home, at school, at work, and I think without the public under- 
standing and understanding the significance of the challenge, we 
are going to continue to be vulnerable. 

Does anyone want to talk about that? Mr. Clancy? 

Mr. Clancy. I would be happy to. 

So I have used a lot in my conversations metaphors because most 
people do not understand the technical world that I live in. The one 
I use in that case is around seat belts. So we have NIST that gives 
us a good set of specifications of what a seat belt should do, what 
its action should be, how you install it in the car. We also need to 
make sure that people are wearing them. And we are in the early 
days. This is cars in the 1950s where we did not have seat belts. 
Right? That is where we are with cybersecurity. So the combination 
of the good standard and the education for the public at large, as 
well as people who are the ones who install and fabricate seat 
belts — that is kind of what we need for this ecosystem that will 
change the physics of the problem that we suffer through today. 
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Senator Klobuchar. Very good. And I think also I would just 
add that I think higher education institutions could play a role in 
this as well. I happen to know a few that are pretty good in my 
State. But I think that that would make a difference as well. 

So thank you very much for your work, and I look forward to 
working with you, Mr. Chairman, on this bill. Thank you for your 
leadership. 

The Chairman. Well, thank you. Do you wish to name each of 
those institutions? 

Senator Klobuchar. They know who they are. 

The Chairman. You are from Minnesota. You might as well do 
it. 

Senator Klobuchar. Well, like the University of Minnesota, a 
small Big 10 school, or St. Cloud State. 

The Chairman. OK. I have heard of it, yes. 

[Laughter.] 

Senator Klobuchar. The Golden Gophers. 

[Laughter.] 

The Chairman. Mr. Gallagher, NIST and your computer security 
division in particular has taken on the job of establishing some 
very technical and complex standards over the years. I am not sure 
everybody on the Committee or elsewhere understands the extreme 
difficulty of your mission or the scientific rigor with which you ap- 
proach your standards work. 

Now, one of the witnesses just made a very important thing 
when he was talking about seat belts. He said it is one thing to 
develop seat belts. It is another thing to use them. And that I think 
trails generally along in this whole conversation. 

The representative of NAM said we could not support anything 
where you were required to wear your seat belt, I mean, in allegory 
terms. 

And that is troubling because all of you have been hacked into. 
All of us have been hacked into. I even got so desperate that I got 
the SEC — and now it is law — to say that every time anybody is 
hacked into, they have to report that to the SEC and the SEC has 
to put it on its Web site as a way of informing their shareholders 
that they better be doing something about this. 

So the question of doing something about it but then actually 
finding out what is the best possible standard and somehow adher- 
ing to that is not inconsequential. That is not a part of what we 
are doing here. It is not a part of our bill. But it is something I 
think we have to keep in mind. 

Anyway, a lot of your most complex standards are adopted world- 
wide, like algorithms for search engines. Could you just kind of 
give me a walk through, before I have to race out of here and to 
come back, on how do you facilitate with the private sector con- 
sensus on standards that are essential like this? How do you get 
it? 

Dr. Gallagher. So the NIST role in supporting the technical 
side of standards setting is really derived from our measurement 
science roots, and they tend to have two characters to them. In 
some cases, a standard, a common practice, a desired practice is by 
its very nature very technical. It may be based in science. A good 
example is encryption where you need an ability to write a code 
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using a public key infrastructure that works and has a certain re- 
sistance to attack. The answer to that is actually answered through 
a lot of mathematics, very complicated mathematics, to take a look 
and prove that performance. So this is a case where there are tech- 
nically better answers and worse answers, and the job at NIST is 
for those scientists and mathematicians to work with the world’s 
experts in these algorithms to look at the features of these codes 
and to see which ones work. 

The other type of standard is actually a case where there could 
be several right answers, let us say, interoperability where in a cer- 
tain type of transmission standard or data standard there could be 
one type of file format or another type of file format, and if we do 
not come to agreement, the systems would not be able to talk to 
each other and that would be a problem. In that case, it is not that 
the science or technology is dictating that one answer is necessarily 
better than the other, and it is more about getting the community 
of practice, the companies, together and having a discussion about 
which one we are going to settle on. And in some cases, what that 
boils down to is how will we know that we are complying with the 
standard, and that could be a measurement, a test. And what the 
NIST role will be is supporting the test that works. 

So it is interesting that 

The Chairman. I am panicking a little bit here. You just used 
the words “settle on” and you used the word “standard.” So my 
question is supposing everybody again being hacked into and lots 
of them not knowing it, doing something about it, maybe not. You 
get some big companies or some semi-big companies in there and 
you are discussing with them what could be the best approach for 
them. And they come very close to agreeing with each other but do 
not entirely agree with each other. There is a scientific sort of a 
miscommunication of some sort or a difference of opinion. How do 
you resolve that if you want to see this put in practice? 

Dr. Gallagher. So the most straightforward way to resolve that 
is through a test. So I think the point that you care about in this 
case is the overall security performance of that system is what 
matters. And so what you want to do is have a testable level of per- 
formance. So in the middle of this discussion between companies, 
if they have different options about how to achieve that perform- 
ance, the role of NIST will often be in finding out which one works 
better and then coming up with a test, a rigorous test that can be 
used to demonstrate that the standard works. And that is often 
what our role is in supporting that type of activity. 

The Chairman. What do you do if one test works and the other 
company’s test does not work but they both think that is what they 
should be doing? 

Dr. Gallagher. It depends on the use. So if the standard is com- 
pletely commercial, if this is a VHS versus BetaMax discussion and 
there is no public consequence, we may not do anything. Most 
standards in this country are in the private sector. That is what 
the National Technology Transfer and Advancement Act tells us to 
do is depend on that private sector infrastructure. 

But if the performance is safety or security or something where 
there is a strong public sector interest, then in fact we do not have 
to adopt it. We do not have to use it. We do not have to recognize 
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it. And that is one of the reasons why it is so important in these 
efforts, particularly in something like cyhersecurity, that the public 
sector agencies, Federal, State, and local, are participating in this 
process because there is clearly a public interest here in the integ- 
rity of these systems. They would not be critical infrastructure oth- 
erwise. 

The Chairman. OK. 

I have got 3 minutes to go 10 minutes. So I am just going to sort 
of recess this for a moment, and then I will be right back. And 
John Thune will be right back. So we are in recess. 

[Recess.] 

Senator Thune [presiding]. The hearing will reconvene. 

That was a very short break. I got a feeling you guys did not get 
an opportunity to do much during that break. But we will try and 
keep it rolling so we can keep this thing on schedule and wrap up 
at a reasonable hour. But we do appreciate your indulgence and 
patience around what inevitably happens here in terms of votes. 

I will direct this to you, Mr. Gallagher. I want to commend you 
for NIST’s efforts thus far in working collaboratively with industry 
to address the cyber threat. We have received positive feedback 
from industry regarding the workshops that you have hosted and 
the transparency of your process. 

The legislation that Chairman Rockefeller and I have introduced 
authorizes NIST on an ongoing basis to facilitate and support the 
development of an industry-led and voluntary set of standards to 
improve security, as we mentioned in the opening statements. 

In your testimony today and previously, you have also stressed 
the importance of the process being industry-led. And I am won- 
dering if perhaps you could elaborate on why an industry-led proc- 
ess will be successful and create, in the end, a better product. 

Dr. Gallagher. So thank you. 

I think there are three major reasons why the industry leader- 
ship is essential. 

The first one Art Coviello actually touched on in his opening 
statement, which is the know-how and the capacity are largely in 
industry, and embracing that is the best way to have an agile proc- 
ess that in fact keeps up with this technology. It is evolving very, 
very quickly. 

The other reason is that having an industry-led process vastly in- 
creases the chances that the answer is compatible with business. 
And since the goal here is to put this into use — having a standard 
on a shelf is not going to help anyone — then the more we can align 
these practices with good business practices, the types of risk man- 
agement that companies do anyway, the better off this will work. 

And the third reason is it can operate at the scale of markets. 
The Internet information technology is global, and if this is a Gov- 
ernment-led effort, the answer we come up with is not going to be 
acceptable around the world probably because it was Government 
developed. But if industry develops it, it can be internationally 
used and it can harmonize efforts across markets all around the 
globe. And so I think from a trade and competitiveness perspective, 
the technologies, the solutions, the software work around the 
world, and that is something that would not happen unless indus- 
try led the effort. 
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Senator Thune. And could you describe a little bit how you are 
working with industry stakeholders to ensure that the framework 
that you are developing with industry will be flexible, performance- 
based, and also cost effective? 

Dr. Gallagher. So we are working as aggressively as we can to 
pull in existing practices where many of those features have been 
demonstrated already. And the issue of scalability — that almost 
forces you to have a performance-based system because the things 
you do in a very large, multinational corporation are going to be 
very different than the things you would do in a company with 5 
to 10 employees. But the types of things, the performance you are 
trying to achieve in fact had the same goals. 

And the other thing that I think is quite interesting with the 
evolving framework is that in addition to embracing sort of risk 
management — in other words, this is as much about what you do 
as it is about the specific technical controls or things that you do 
to protect systems. The other thing that is coming up is implemen- 
tation levels, in other words, a maturity model, the notion that 
your thinking evolves. In the very beginning of the process, if you 
do not have a lot of experience, you may have a very rule-based or 
control-based scheme where these are the top things I am going to 
do. These are the core behaviors we are going to enforce within our 
company. We are going to check passwords. 

But as you evolve, in fact, what happens is almost a security cul- 
ture takes hold. It is about continuous improvement. It is about 
having the capacity to look at what is happening in your system 
to adjust to that, and it becomes much less about a rule following 
type culture and more about a continuous improvement. And that 
is being incorporated into this framework, which I think will really 
support implementation because it tells a company at the begin- 
ning of the process what they need to do and that is a different set 
of things than a very mature company would be looking at. 

Senator Thune. Let me just direct this question, if I can, to our 
industry witnesses. And I will repeat what I said. The feedback in 
terms of the NIST process under the EO has been generally posi- 
tive. And I am curious to know what has been your involvement 
or your sector’s involvement in the NIST process and if there is 
anything that you could suggest to the Committee or to NIST, for 
that matter, to improve that process. 

Mr. CoviELLO. I would be happy to start. Senator. 

First and foremost, to your point about it being industry-led, just 
to give you an idea of the resources that can be brought to bear, 
RSA hosts the largest security conference in the world. We have 
over 300 vendors that come to our conference every year. So you 
think about the scale of capability from 300 vendors that attend 
our conference to have an impact in terms of developing this frame- 
work with the latest and greatest, most innovative technologies. 

I would also add I have never seen a period where there was 
more investment from venture capital and others in the space, be- 
cause it is such a tough problem to solve. 

So you have got that weight of knowledge. Combined with that, 
you have the vertical industry knowledge of their being able to 
evaluate the risk in their environments, how to go about imple- 
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meriting the right technologies in a fashion that gives you true de- 
fense and depth. 

Now, on the other side of the equation, you have NIST, which 
has an excellent technical capability, bringing together those re- 
sources and drawing the best of it to build that framework and not 
doing it in a vacuum, but doing it collaboratively with both indus- 
try verticals as well as the technology companies that provide the 
solutions. 

So this bill I think is so important because it sets the right direc- 
tion to get the best results. 

As to your specific question, RSA has already been working with 
NIST to help develop this framework. We have expertise in the 
areas of identity management, in big data security analytics, in 
encryption technology, and in building out the framework. We 
bring our expertise in these specific technology areas to NIST and 
to the body of work that is being done. 

Senator Thune. Mr. Clancy? 

Mr. Clancy. I would add to that — and I pretty much agree with 
all the things that Art said — that the financial sector is very in- 
vested in this process for two reasons. One, we want to make sure 
there is a good and productive outcome and, two, because we want 
to improve the capability of the other infrastructures that we de- 
pend on. 

And I think the key — and I mentioned this in my testimony — is 
this stuff for us has to be grounded in the real world. One of the 
challenges with some of the standards process, not so much the 
way that NIST works, but other organizations is they have people 
who are professional developers of standards who do not live in the 
real world. And so from the financial sector, we had to invest our 
experts who know this space because we want to get productive 
outcomes. And NIST has been very good at taking that input from 
our expertise and others they have brought to bear because we 
want this framework to work because we want to use it to improve 
our cybersecurity and improve the maturity — that was another 
thing that was mentioned — the maturity scale of the various play- 
ers in the industry. So you have large institutions operating on 
large scales like mine that need to be very mature. We also have 
a lot of small institutions who do not actually run most of their 
own infrastructure. We need to get the service providers that pro- 
vide them the capabilities to have this level of maturity to protect 
the sector overall and the Nation’s critical infrastructure. 

The Chairman. Ms. Coleman? 

Ms. Coleman. Senator, from the NAM point of view, this issue, 
cybersecurity, has become increasingly important, and it has moved 
up the corporate ladder, so to speak, and it is now a boardroom 
issue for many of our members. A lot of our members are partici- 
pating in the NIST forum and find these discussions very helpful 
and want to see the process continue. And I think from our per- 
spective, the fact that we are talking about industry-led, voluntary 
standards in a public/private partnership are really key to our sup- 
port. 

Senator Thune. Thank you. I am well over my time, and I would 
be happy to yield to my colleague and neighbor from the State of 
Nebraska for any questions she might have. 
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STATEMENT OF HON. DEB FISCHER, 

U.S. SENATOR FROM NEBRASKA 

Senator Fischer. Thank you, Senator Thune, and thank all of 
you for being here today. I appreciate it. 

Mr. Gallagher, how will the NIST framework relate to DHS’s im- 
plementation program? 

Dr. Gallagher. Well, we hope that the implementation program 
that DHS adopts is all about promoting adoption of this frame- 
work. This is industry’s work. We think industry will come up with 
something that is quite effective. And the purpose of that program 
should be to support those companies adopting it making it useful, 
whether that is through education, and the incentives and other ac- 
tivities in the program. 

Senator Fischer. Will NIST have any input into that process? 

Dr. Gallagher. Yes. It has been a very collaborative activity al- 
ready, both on the performance goals of the program — we have 
been working extremely closely with DHS. I have a weekly call 
with them, and at the working level, I think it is daily. That is also 
true on the implementation, and it is also true in the framework 
process because the framework process needs to be designed from 
the perspective of being implemented. So a lot of this discussion is 
already being done not just between the two agencies but in the 
broader effort as well. 

Senator Fischer. And I know that NIST has worked with private 
industry quite a bit on this. Is that correct? 

Dr. Gallagher. That is correct. 

Senator Fischer. And do you believe there are some essential 
elements in there that need to be included to make this a success? 

Dr. Gallagher. In terms of any particular area, it is actually a 
long list of areas that have been talked about. In fact, a big part 
of the framework effort is just organizing those areas into a struc- 
ture and a language that everyone can collaborate under. So it 
talks about identification of threats. It talks about protection. It 
talks about response capability and recovery. And there are key ac- 
tivities in all of those areas. So they are all important. 

I think the proof in the pudding here is when you put this all 
into practice, does it make a difference in the overall performance 
of this very complicated system that is comprised of technology peo- 
ple and processes. 

Senator Fischer. Do you see any specific issues that need to be 
prioritized within that framework? What would you suggest? 

Dr. Gallagher. Well, we have actually turned the question 
around to the industry that is putting this together. So this is an 
industry-led effort. This is really their document. That is for us a 
key measure of the success. 

I think that the initial framework will have sort of two character- 
istics. One will be a body of existing work, existing best practice 
that has come out of all the participating companies that become 
a common set of practices. The other thing that I expect to see in 
the framework is a set of areas that are gaps that everyone agrees 
needs to be addressed, but there may not be a body of existing best 
practices to implement. 

And so the final framework will have two pieces to it: a set of 
best practices and I think a road map for improvement. And that 
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is one of the reasons why the framework process cannot he a once- 
through. It is really important then to turn back and start working 
on those gap areas and use it as a road map for continuous im- 
provement because this technology is just that dynamic. 

Senator Fischer. The framework is due in October. Is that cor- 
rect? 

Dr. Gallagher. That is correct. 

Senator Fischer. You said there will be gaps. So do you antici- 
pate that there is going to be something written into this to ac- 
knowledge that there will be gaps and that it needs to be updated 
and filled in as those become more, I guess, recognized as time 
moves on and what is needed and working with the industry and 
hopefully continuing to listen to their input? 

Dr. Gallagher. So an explicit part of the ongoing process has 
been identifying areas where there is broad consensus that it is a 
critical area but maybe that the actual technical standards that 
would form the basis of a response are not considered sufficiently 
mature. And so that is already happening. And I think the frame- 
work needs to be an honest document, and I think it needs to 
showcase those areas. And if it generates a prioritization — remem- 
ber, you have got all of these companies working across the sectors. 
If they can agree that this is a priority to address, I think that is 
a very powerful outcome of the framework itself. 

Senator Fischer. So we all like to talk about being flexible and 
having flexibility no matter what the topic. In this case, then you 
would certainly encourage that there would be flexibility with re- 
gard to this? 

Dr. Gallagher. I actually would go further. I would say this 
cannot work if there is not flexibility. The threat environment that 
is facing and the pace of technological change is so rapid that there 
has to be a dynamic environment — that is really the goal of em- 
bracing industry. It knows how to keep up with this. And that is 
why it is so important that they take this process and take it to 
scale so that it keeps up. 

Senator Fischer. Thank you very much. 

Thank you. Senator. 

Senator Thune. I thank the Senator from Nebraska. 

The Senator from Massachusetts, Senator Markey? 

STATEMENT OF HON. EDWARD MARKEY, 

U.S. SENATOR FROM MASSACHUSETTS 

Senator Markey. Thank you very much. I appreciate it. 

Mr. Coviello, good to see you again. Welcome. 

Mr. Coviello. Thank you. Senator. 

Senator Markey. You are a preeminent leader in the 
cybersecurity field, and I have always appreciated your insights 
and we are fortunate to have you here with us today. 

From Hanscom to all of the companies up in Massachusetts led 
by EMC, we are a leader from Massachusetts on the issue of 
cybersecurity, and I thank you for all the work that you have done. 

When we talk about this issue, the electricity grid comes to mind. 
And back in 2010, I was able to author with Fred Upton a piece 
of legislation, informed by expert testimony from our national secu- 
rity experts, to put in place a set of protective policies so that our 
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electricity grid would be difficult to attack successfully. As we all 
know, Thomas Alva Edison would recognize our electricity grid 
today. It has not been modernized the way our telecommunications 
system has been modernized since the 1996 Telecommunications 
Act. It just has not seen the kind of change. 

So my question to you is since so many experts felt that the elec- 
tricity grid was so vulnerable — and that can cause catastrophic 
damage because that affects every industry not just one — what is 
your feeling about that in terms of the vulnerability of the elec- 
tricity system, the grid in our country today? Mr. Coviello, Mr. Gal- 
lagher, whoever? 

Mr. Coviello. I will be happy to start. Senator. And thank you 
for your kind remarks. 

As I think Chairman Rockefeller pointed out, there is no industry 
and no part of our critical infrastructure that is not in some form 
or fashion vulnerable to cyber attack. And why we are so positive 
on this legislation is the fact that it calls for industry, including the 
public utility industry, to bring forward their ideas on how to un- 
derstand and evaluate risk and how to implement not only policies 
but technology to mitigate that risk. And that includes the use of 
technology. 

What we need to do, and what should be part of this framework, 
is to develop a system that allows us to not just try to prevent in- 
trusions — because they will occur, they will inevitably occur — but 
to be able to detect them more quickly and respond quickly enough 
to mitigate any potential harm. 

Senator Markey. Can I just ask you a question? 

Mr. Coviello. Sure. 

Senator Markey. Because my time is going to run out here. 

I released a report about 2 months ago on the electric grid’s vul- 
nerability to a cyber attack, and about 100 utilities responded to 
Mr. Waxman and myself. What their responses revealed was that 
there is ongoing attempts to go after our electricity grid. But the 
responses revealed something else which is that the utilities were 
almost all fully compliant with the mandatory standards that the 
industry develops and the Federal Energy Regulatory Commission 
enforces but none of them reported compliance with the voluntary 
recommendations made by the North American Electricity Reli- 
ability Corporation, an industry group that develops these meas- 
ures. 

So I know that the utility sector is not the same as the industrial 
sectors that we are talking about today, but the utilities are al- 
ready subject to mandatory reliability standards, and keeping the 
lights on in the face of a cyber attack is fundamental reliability. 

So I would be interested in your views on this tension between 
carrots and sticks because it is pretty clear that in the utility sec- 
tor, they do not respond to voluntary, only to mandatory. Could you 
give me your insight in terms of what you think we have to put 
on the books to get that kind of a response? 

Mr. Coviello. Well, again, I think the bill that is before this 
committee — I do think is the right approach. I think you would 
have to speak directly to them about their ability to volunteer. 

But I think, again, what we are trying to accomplish here is to 
give them the means and the capability in the form of this frame- 
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work to be able to defend themselves. And I cannot emphasize 
enough the fact that the technology is moving so quickly that hav- 
ing a framework that is flexible and adaptable that keeps pace 
with not only the threat, but the expansion of the attack surfaces 
is going to be critically important. 

I will also state that the problem is likely to get worse before it 
gets better. As we create what we call the “Internet of things” — 
in other words connecting more and more physical devices to the 
Internet — then the attack surface is going to expand even more 
dramatically. And we have to have capability to address that. 

So my role here today is to comment on this legislation and how 
effective I think it would be in giving the private sector the means 
to protect the critical infrastructure. And I think it is the right 
path. 

Senator Markey. Do you see any additional incentives that we 
could include to encourage adoption of voluntary standards? 

Mr. CoviELLO. I think that there could be other considerations. 
I cannot, off the top of my head, give you examples today, but it 
would be something that you could consider. 

Senator Markey. So in other words, a backup capacity. So we 
have learned that the electric utility industry does not, in fact, im- 
plement voluntary standards, only the mandatory. So would you 
support some backup standard that if there was no compliance and 
it has been identified as a critical area that needs protection, that 
there has to then be some mechanism to ensure that there is an 
adoption? 

Mr. CoviELLO. Well, again, I do not speak specifically for the in- 
dustry, but I think if they were given the right framework — and 
that is what we are attempting to do with the executive order and 
with this bill — I think it will go a long way to having them see the 
light to adopt this framework. 

Senator Markey. But if there is no adoption, in other words, 
should there be — because of the critical nature of this threat to our 
country, should there be a mechanism to ensure that there is com- 
pliance because we are only passing this because we have identi- 
fied a threat? 

Mr. CoviELLO. Well, it is always in the purview of Government 
to do what is right in the public interest. So under that scenario, 
I would not rule anything out. 

Senator Markey. OK. 

Mr. Chairman, thank you. I appreciate it. 

The Chairman [presiding]. Thank you. Senator Markey. I under- 
stand exactly what your thrust is there. I have to say as chairman, 
I share some of that, but that is not actually within our jurisdiction 
and we have to sort of live with that. I mean, this is the voluntary, 
working with industry. The questions you asked are completely un- 
derstandable and I think in the long run necessary, but that is 
what Homeland Security does. 

Senator Markey. I see. 

The Chairman. You see? 

Senator Markey. I was operating under the misimpression that 
you were chairman over everything that comes under the purview 
of private commerce in the United States. 

[Laughter.] 
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Senator Thune. I would say to the Senator from Massachusetts 
the Chairman likes people to think that. 

[Laughter.] 

Senator Markey. Thank you, Mr. Chairman. 

The Chairman. Oh my God. 

[Laughter.] 

The Chairman. Dr. Gallagher, you negotiate with world groups 
on standards. So now, we have been talking here about — let us say 
we have got standards on American cybersecurity and what do we 
do about all of that. You negotiate with world organizations, and 
you do it over the same kind of thing. What do you do when you 
arrive at differences, substantial differences? If you do not under- 
stand my question 

Dr. Gallagher. I think so. 

The Chairman. — please say so and I will try again. 

Dr. Gallagher. So the international standards process is actu- 
ally one where NIST does not represent the United States. Again, 
since we have an industry-based standard setting process in this 
country, our presence in international standard setting is set by 
those private sector standards organizations. What we try to do is 
facilitate that process. And a lot of that has to do with making sure 
that the best technical answer is supported. You know, we would 
prefer effective standards over ineffective standards. 

But I have to say the most effective role in international stand- 
ard setting is the role of companies, particularly international com- 
panies, because they have a stake already in these multiple areas. 
And in fact, it is that desire to have as common a market as pos- 
sible that is a big influence in those areas. So the key to inter- 
national standard setting — it is always a complex issue — is partici- 
pation, and it is one of the reasons why I think this framework 
process is so important. By coming together and developing a com- 
mon set of practices, we will shape what international standards 
look like. That tyranny of the first draft and shaping what this 
looks like really matter. And I think we already see signs of other 
countries, other areas. Whether they are going to be voluntary or 
whether those countries decide to go into a regulatory approach, 
they are already interested in basing whatever they do on what is 
already happening here in this framework process. And I think 
that is a good thing because the more we get common behavior and 
common practices, the more compatible this enterprise is with the 
way business works. 

The Chairman. In a sense what we are doing is we are asking 
you to develop standards that are effective standards that will real- 
ly improve our country’s cybersecurity in a voluntary fashion. We 
are not asking you for window dressing or for a proposal to make 
every single stakeholder happy. That was sort of a dumb last sen- 
tence. But it is a very big responsibility because you want to be ef- 
fective. You do not want to be sort of a United Nations between 
competing ideas and people come to this point and then they stop, 
so they cannot close, so they do not do. 

Are you and the rest of the NIST staff committed to the goal of 
developing effective standards, and how would you answer that dif- 
ferently than I asked you a previous question? How do you come 
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to agreement? The word “effective,” as Senator Markey indicates, 
is important. 

Dr. Gallagher. I think it is absolutely critical. 

The way I think about this question is we are talking about a 
set of activities owned and operated by the private sector that if 
they were to fail through a cyber attack would have catastrophic 
impact to the country. That is the definition of critical infrastruc- 
ture that is in the Executive Order. So there is clearly a national 
interest in that not happening. And so effectiveness is actually the 
starting point. This has got to work. 

I think the position we take is that if we can make this work, 
working through industry in a market-centric way, in a way that 
adapts all of the capacity they have, all of the adaptability they 
have and aligns with business practice — and that is an “if” If that 
works, that is the best answer because it can scale internationally. 
It can keep up with the technology, and there is this little sort of 
counter-market things that we have to do. If it does not work, I 
think the question before Congress will be what do we do about 
that because you still have a national impact. 

So the position of NIST has been this has got to be effective. It 
has got to address lowering the overall risk of these types of fail- 
ures. And it has to be measured by being put into practice and it 
has to continually get better because both the threats are going up 
and the technology is changing, and the nature of the 
vulnerabilities are shifting. So it has to be continuous. 

The Chairman. Yes. 

Senator Thune, can I ask one more question? 

Senator Thune. Yes, sir. 

The Chairman. OK, because I am over my time limit. 

I mentioned before that because you could not get anything done 
in legislation — we were not getting anything done in legislation 
and that this in fact — even national security — I mean, so much 
braid and stars you cannot even believe it. Masses of it, acres of 
it begging us to pass legislation that will make cybersecurity at- 
tacks much more hard or that we can stop them. Now, you sug- 
gested one way, but you did not suggest it in the way I am going 
to say it. But if you have a catastrophic attack, it is sort of like 
a 9/11 effect. People perk up and say, oh, gee, we should have pre- 
vented that. And then we pass, to the everlasting shame of the 
U.S. Congress, a bill. 

The first thing we did after 9/11 was pass a bill which allowed 
the FBI and the CIA to talk to each other. I voted for the bill and 
then I went and blushed. I mean, it was so embarrassing we would 
have to do that. But that is the way it is. People do not talk to each 
other. They do not talk. There are stovepipes in Government, stove- 
pipes in industry, people not wanting to get an advantage taken of 
them. 

So I came up with this idea — Mary Schapiro was in charge at the 
time at the SEC — in two areas. In the matter of hacking, that the 
companies by definition are probably not going to say, hey, guess 
what, we were hacked and then send that announcement out to all 
their shareholders. But in an era of transparency and for the bet- 
terment of that company, their shareholders have a right, I would 
think, to know that their company had been hacked into. I wrote 
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to Mary Schapiro and asked her to work on this. And it works. 
Now people are startomg tp report. Shareholders are seeing. 

I did the same thing with coal mines. You cannot get coal mine 
safety legislation through this Congress with a red State. It just 
will not happen. Extremely frustrating. And then you live in a coal 
State and you see people getting killed. And, you know, coal compa- 
nies like others are sort of distant and hidden and they have their 
own world, their own ways. And so I got her to do the same thing. 
If you had a coal mine accident, you were required to report that 
on the SEC website. And I am not saying it had a startling effect, 
but it had a good effect because people, in a sense, in a raw way 
that did not require law, were informing their shareholders that 
safety problems were extant and no more than that. No more au- 
thority to do anything than that, just transparency, which I think 
we generally are trying to believe in. 

Now, I do not know how to make a question out of what I just 
told you. But I think you understand what I am saying. I am im- 
plying that companies sometimes have to be caused to do what 
they would really want to do. But I do not want the people of West 
Virginia to know bad things about me, which of course do not exist. 

[Laughter.] 

The Chairman. But should they, I do not want them to know 
about it. Right? Senator Thune is the same way. Well, he is more 
perfect. 

[Laughter.] 

The Chairman. But you understand what I am saying. I mean, 
this is a serious problem that we are getting at, and we have un- 
clear jurisdiction over it, just like I told the Senator. But my mind 
just forces me to put that question to you. 

Dr. Gallagher. So I certainly appreciate the important role that 
disclosure has in this environment, but since I am not an expert 
on those types of incentives, let me answer the question a little bit 
more generally. 

You are exactly right that this will not do any good if it is not 
put into practice. And so the crux of the issue — and I think this 
will be — and the administration believes this is going to be the es- 
sence of the discussion we want to have with Congress as this 
unfolds. As the framework is put into practice, what are the rea- 
sons why it does not go into practice? Is it the motivation of the 
boards? Is it business-to-business transactions, where there are 
barriers to information in transactions? There are dependencies be- 
tween companies as well. There are dependencies between the pri- 
vate and public sector. I believe that there is a lot of self-interest 
to doing this well. I think that these technology systems actually 
cut right to the heart of the competitiveness and viability of the 
companies themselves. So I think a lot of self-interest is already 
there. 

But the extent to which we identify friction, that really should 
be what informs all of the subsequent discussion about incentives. 
And our view is that this will become very natural as we start to 
implement the framework, and it really becomes about an imple- 
mentation question. 

The Chairman. Peer pressure evolves in various ways. Is that 
what you are saying? 



46 


Dr. Gallagher. Yes. 

The Chairman. OK. 

Senator Thune. Mr. Chairman, I just appreciate very much the 
testimony of these folks today, and I think that it helps inform our 
process going forward. And I guess if there is a takeaway for me — 
and perhaps if you all want to, just in the form of a closing com- 
ment — is that the only way that this works is if the framework 
really is good business and makes sense. So that is kind of what 
I have derived from what I have heard you say today. 

I think that our bill is headed in the right direction based on 
what I have heard you say today. And there are other committees, 
as the Chairman said, that have other jurisdictions who will have 
to be heard from on this. And we hope that the work that they do 
can complement what we have done here. 

But we appreciate very much your being here, and if anybody 
has anything they would like to close with — it is just down to us. 
But thank you so much for your time and for your expertise. 

The Chairman. Any closing thoughts? 

Mr. Clancy. So, again, I would like to thank you for having this 
hearing. I look at this as an important first step. There are more 
steps to follow. And I think. Chairman Rockefeller, what you were 
getting at in terms of disclosure is a way to inform the debate 
about the risks that we face. The other side of that equation, as 
I mentioned earlier in my testimony, is around information shar- 
ing. And I think there is work for other committees in the Senate 
to push that forward. And the two together will be stronger than 
either one of those things on their own. 

And I thank you again for the opportunity to speak on behalf of 
the American Bankers Association, the Financial Services Round- 
table, and the Securities Industry and Financial Markets Associa- 
tion. Thank you. 

The Chairman. Thank you. 

Ma’am, do you have anything? 

Ms. Coleman. Yes. Just in conclusion, I just want to reiterate 
that the NAM supports your legislation as introduced. We certainly 
very much appreciate the industry-led, voluntary standards non- 
regulato^ approach and the public partnership that is incor- 
porated into the legislation. And we look forward to working with 
you to advance this legislation. And thank you for the opportunity 
to testify today. 

The Chairman. Thank you. 

Now, I want to point out that Senator Thune, who is a smooth 
operator, just almost took the legs out from under me there in sort 
of bringing this to a close because Senator Richard Blumenthal ag- 
gressively approached me on the Senate floor on an absolutely ri- 
diculous vote — absolutely ridiculous vote, but it was very close so 
it was not ridiculous — and said that he was going to be here in 2 
or 3 minutes and I am so informed. So it is a question of your toler- 
ance of the whole concept of the legislative branch of Government, 
if you can stand it for 2 more minutes. He is very, very smart. He 
was Attorney General of Connecticut for 29 years. And he wants 
to be here. And so if you are willing to stay, he would be very 
happy and I would be very happy. I mean, 2 minutes. I mean, you 
can handle that. You are all young. 
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Mr. CoviELLO. Mr. Chairman, I did not get an opportunity to 
make a closing comment. So maybe I can bridge the gap a little bit 
here while we are waiting. 

The Chairman. OK. 

Mr. CoviELLO. So, first of all, RSA was attacked in 2011 by two 
separate advanced persistent threat groups that we believe to have 
come from a nation state. Without the requirement of SEC disclo- 
sure, because it had not been put through as yet, our parent com- 
pany, EMC, once we realized we had a loss, which was within 
hours of the actual exfiltration of information, we filed an 8-K re- 
port to the SEC. I also wrote an open letter to all of our customers 
informing them, as we had a moral obligation. So we take no credit 
for doing the right, moral thing to inform our customers that be- 
cause of our breach, that they might have been in danger. As a re- 
sult not only of our internal capability to see the attack and being 
a whisker from stopping it altogether, we were able to give reme- 
dial advice to our customers. And as a result, no customer suffered 
a loss as a result of our breach. 

The point I guess I would like to make is that, first and foremost, 
focusing on outcomes should be an important element of our 
cybersecurity strategy. I think Senate bill 1386 in California about 
notification of breaches of personally identifiable information has 
caused a significant shift in how the retail industry approaches 
cyber. But it is not about regulating specific action about how in- 
dustries go about protecting themselves. If you focused on an out- 
come, very often you will get industry to do the right thing. 

I think your legislation is very important because it gives indus- 
try the tool to do that right thing. And I think this is a tremendous 
start. And, again, I want to thank you and Ranking Member Thune 
for your leadership because this is I think a tremendous start and 
an important element of protecting our critical infrastructure. 

The Chairman. Good. And I agree with you incidentally. 

Please, Senator Blumenthal, get here. 

I agree with you because it starts with the proper framework. 
This is not regulatory. NIST is not regulatory. NIST brings people 
together, public and private. It has been brilliantly successful at 
that. One of the most agencies in all of the Federal Government. 
So it puts that forward as the ideal. In that we are going to, hope- 
fully, get our bill passed, it will allow that to proceed. 

But you are probably already proceeding on that. Are you not? 

Dr. Gallagher. Yes. We are proceeding under the framework. 

But from our perspective, we also appreciate this bill because it 
clarifies what are existing, but very broad authorities to do this. 
And in particular in light of the fact that we believe this effort 
needs to be ongoing and continuous, that clarification support I 
think is very helpful in helping to ensure that this evolves toward 
an industry-led program that has these features we have talked 
about of being agile and keeping up. 

The Chairman. Our prayers have been answered and the good 
Senator from Connecticut has arrived. 
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STATEMENT OF HON. RICHARD BLUMENTHAL, 

U.S. SENATOR FROM CONNECTICUT 

Senator Blumenthal. Thank you, Mr. Chairman. I am going to 
tell my wife that she can say that when I come home tonight 
whether she thinks it or not. 

[Laughter.] 

Senator Blumenthal. But thank you very much for giving me 
this opportunity — I really appreciate it — on a topic that is su- 
premely important. I just came from the floor and I apologize for 
anyone who has been delayed. 

First of all, my thanks to the chairman and the ranking member 
for remaining committed to finding solutions to this very real and 
urgent threat. Often when the legislative process fails to function 
properly or breaks down, people walk away and ignore the prob- 
lems that still need solving, and that has not happened here fortu- 
nately. So I am heartened that the leadership of this committee 
has found a way to work together, and I want to pledge that I will 
continue to stay engaged and involved and help in whatever way 
I can. 

I continue to be concerned with ensuring that civil liberties and 
personal privacy are protected and safeguarded throughout this 
process. My colleague. Senator Markey, has been very much fo- 
cused on this issue, and I want to thank him for his work on it be- 
fore he came here. 

And I am also focused on making sure that we have the right in- 
centives, the proper incentives to ensure that companies are com- 
plying with the standards. 

I have a question that has perplexed me as a representative of 
a State which has some of the greatest companies in the world. 
Under Secretary Gallagher, why has the market not better dealt 
with the cybersecurity threat? During the financial crash, we 
learned about systematic risk and banks that believe they were too 
big to fail, to use a somewhat hackneyed, overused term. Do you 
think the infrastructure companies believe that the Federal Gov- 
ernment will bail them out in the event of a catastrophe? Is that 
why they are not taking steps on their own? 

Dr. Gallagher. So I would actually start by challenging the 
premise a little bit. I think the evidence that I have observed with 
companies from the various sectors coming into the process is that 
in fact there is a lot of actually quite outstanding activity going on. 
The financial services sector is a good example of one which has 
been under extreme duress with extremely high levels of targeted 
attacks to that sector and yet has really been quite good at working 
across company lines, sharing technical information, working with 
Internet service providers, working with the public sector in 
crafting and adapting to that pretty dynamic response. 

Senator Blumenthal. And I apologize, first, for interrupting you, 
second, because my question was unclear. I was really talking 
about insurance. I come from a State that has been engaged in try- 
ing to combat the cyber threat. I have talked to a number of the 
CEO’s and lower ranking executives about their concern. But insur- 
ance does not seem to be a commonly used option. And in the nor- 
mal situation in the marketplace, insurance would be a measure of 
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how grave the threat is, everything from hurricanes and flooding 
to theft to — well, I do not need to tell you. Why not in this area? 

Dr. Gallagher. So I apologize for 

Senator Blumenthal. No. It was my 

Dr. Gallagher. So I think you are right. Certainly one of the in- 
centive discussions is around insurance and why that market — 
what could be done to develop that. One of the possible reasons has 
to do with the fact that you need to monetize the risk. And so this 
comes down to measuring and understanding and sort of devel- 
oping an actuarial basis where this risk can be sort of embedded 
in the market. This discussion has come up actually quite fre- 
quently in the framework process, and I think as part of the 
metrics discussion, this is something that is being looked at as 
something that would be quite helpful. 

Senator Blumenthal. And why has it not happened? The threat 
has been here. And I invite any of the other panelists to weigh in. 
But the threat has been here for well long enough to monetize and 
do the actuarial accounting. And in fact, in other areas I am famil- 
iar with some of the work done on climate disruption and the 
threat of hurricanes. Actually the insurance companies are very 
mindful about potential threats of hurricanes in the Northeast 
which are about as difficult to monetize as I would guess cyber 
threats are, in fact, more so because we know the cyber threat is 
there. We know some of the damage that can be caused. So maybe 
others can enlighten us. 

Mr. CoviELLO. Actually, Senator, I would disagree. I actually 
think the cyber threat is harder to create an actuarial table or an 
algorithm around. And the problem is twofold. It is not just the 
threat environment which continues to escalate every single day in 
terms of capabilities of the attacker, it is the attack surface. I get 
asked all the time why can you guys not do a better job. Well, we 
could do a better job if IT infrastructures were static. They are not. 

Just think about the following facts. The iPhone did not even 
exist until 2007. Six years later, we now have full mobile ubiquity. 
We use very few Web applications to run our businesses as recently 
as 2005 to 2007. Now a common refrain is “there is an app for 
that.” In another 6 or 7 years, we will be using big data applica- 
tions to monitor everything about us and the world around us, 
hopefully for productive reasons. 

The amount of digital content being created every year is abso- 
lutely astounding. There was a quarter of a zettabyte — and I will 
explain what a zettabyte is in a moment — of digital content being 
created in 2007. This year there will be two zettabytes. By 2020, 
there will be 40 to 60. One zettabyte is the equivalent of 4.9 quad- 
rillion books. That is the amount of content that needs to be sorted 
through to figure out what exactly needs to be protected, as op- 
posed to what is a picture of your family dog. 

So the complexity of protecting this fast changing IT environ- 
ment is overwhelming. That is why this framework is so important. 
We need a security model that has legs. We need a security model 
that is future-proof. That model consists of starting with a thor- 
ough understanding of risk that is an ongoing process. It includes 
technologies that can react to facts and circumstances that are not 
static. It includes a management system that uses capabilities that 
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are only just coming to market now that can spot the faint signal 
of an attacker. The one thing we have going for us in defending 
against cyher attacks is, ultimately, the attacker will have to do 
something anomalous. We are developing the capabilities to he able 
to spot that in progress. So, again. Senator, as you suggest, it is 
not a question of whether or if we will be breached. It is our ability 
to respond and detect the attacks and respond timely enough to 
quarantine the element of our infrastructure that has been at- 
tacked or to prevent the movement of critical information or a 
transaction. 

Mr. Clancy. And if I could add to that. As you know, insurance 
at its core is about risk transfer. So I transfer the risk that I have 
to somebody else who can absorb the risk. And in order to do that, 
you have to have two things. You have to have an understanding 
of the risk and the purchaser of the policy and the issuer of the 
policy both have to be able to value it. And I would argue that one 
of the challenges you have particularly in cybersecurity is that 
many of the people who face the risk do not have a good estimation 
of what it really means to them and what the consequences could 
be and the likelihood or frequency of those events occurring. And 
that is one of the reasons why I believe the information sharing 
component, which is not addressed in this bill, is another tool in 
the toolbox to help us understand that risk better. 

We use cyber risk insurance, but we use that cyber risk insur- 
ance at DTCC for the risks that are smaller. The catastrophic risks 
that we could face if these issues escalate to a point where they be- 
come manifest are really beyond the ability of the insurance indus- 
try to absorb right now. And so we have to look at making sure 
that those things do not occur. 

Senator Blumenthal. You know, I understand what you have 
said, and I do not disagree with it, that it is a moving target, so 
to speak, that it is not a static threat with sort of inert, chess-like 
moves that are fully visible and are played according to the same 
rules all the time forever. But that is the nature of insurance to 
try to look forward and put numbers on risks that may vary and 
may change over time. 

So I am still perplexed. I do understand what you are saying, 
and I wonder, if I can ask a question, whether it is the fact that 
the insurance would be too costly because of the factors that you 
mentioned or because the insurers simply do not want to be in that 
market. They just do not want to even engaged or be involved in 
offering that product. 

Mr. CoviELLO. Again, Chairman Rockefeller said it at the outset, 
that almost every agency of the Federal Government says how stra- 
tegically important the nature of this threat is to the U.S. economy 
and our defense. 

So I would say that over time, if we are as effective as I think 
we will be, I think we can get to a point where we can reach an 
equilibrium, where we are not playing the attackers are one up 
against us and we are trying to catch up and react to the threat, 
that we are able to develop a system that is resilient enough to not 
necessarily stop any loss, but to respond quickly enough. And at 
that point, I think the cost curve will come down sufficiently that 
you will be able to insure against this problem. 
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Senator Blumenthal. I think your points are very well made. 
And in my view, they are great evidence for the need for this legis- 
lation. 

Mr. COVIELLO. No question. 

Senator Blumenthal. Because here is an area where normally 
the private sector would say we will take care of it. We know you 
are the Federal Government and you are here to help, but we can 
do it on our own. Here the markets, or the insurance market at 
least, cannot really satisfactorily address the incalculable threats, 
the magnitude of the harm, and other factors that you have put so 
well. 

Mr. COVIELLO. Thank you. 

Senator Blumenthal. My time has expired, but I want to just 
say on the issue of privacy and civil liberties that I think that the 
draft legislation from Senator Rockefeller and Senator Thune in- 
cludes language that instructs the director of NIST to — and I am 
quoting — include methodologies to protect individual privacy and 
civil liberties. I hope if I can direct questions in writing to you on 
this area, we can get some responses from you. 

Again, my thanks for being here today. 

Thank you, Mr. Chairman. 

The Chairman. Thank you. Senator Blumenthal. 

And now I have really got to say a heartfelt thank you for your 
patience. I mean, we had this incredible sort of Broadway-like per- 
formance — an art form of waiting for Senator Blumenthal. 

[Laughter.] 

The Chairman. And Jay Rockefeller tried to ask an intelligent 
question and then keeping my ear open to was that door opening 
or not and you were coming through to save us all. And you did, 
indeed. But most importantly, I think some of the best testimony 
came within the last 10 minutes. 

Senator Blumenthal. Well, thank you, Mr. Chairman, and 
thank you for making your rebuke so soft. 

[Laughter.] 

The Chairman. No, no. 

All right. With all certainty, this hearing is adjourned. 

[Whereupon, at 4:29 p.m., the hearing was adjourned.] 
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Prepared Statement of Hon. Dan Coats, U.S. Senator from Indiana 

Thank you, Mr. Chairman, and let me start by commending you and Senator 
Thune for your bipartisan leadership on the cybersecurity issue, and by congratu- 
lating you on the introduction of S. 1353, the Cybersecurity Act of 2013. 

In a post-September 11 world, Americans have learned to be more vigilant. We’ve 
learned that in a second — the act of one terrorist — or a group of terrorists — can wipe 
away life as we once knew it and change our world forever. And so since that fateful 
day in September almost 12 years ago, our Nation has made great strides to be ever 
more vigilant and more prepared to prevent or respond to another terrorist attack. 

Local law enforcement, TSA, FBI, Homeland Security and the intelligence commu- 
nity, among many others, must work every second of the day to anticipate, prevent 
and disrupt potential plots by terrorists. But these threats are changing form. It is 
not only a potential hijacked plane or a bomb plot that threatens our country; we 
now face another type of warfare that could have a deep and widespread impact on 
Americans — a cyber attack. 

As a member of the Senate Intelligence Committee, Senate Commerce Committee 
and Ranking Member of the Senate Appropriations Subcommittee on Homeland Se- 
curity, I know that the threat of a cyber attack is real and far-reaching. A major 
attack on our cyber systems could shut down the critical infrastructure that allows 
us to run our economy and protect the safety of Americans — transportation and fi- 
nancial systems, communications systems, electric grids, power plants, water treat- 
ment centers and refineries. 

The threat of a cyber attack is growing, but neither industry nor government 
alone can broadly improve our nation’s cybersecurity. This potentially devastating 
vulnerability requires all stakeholders to work together to develop an enduring leg- 
islative solution. Protecting Americans from cyber attacks should not be a partisan 
issue. 

That is why I believe it is imperative that Congress pass cybersecurity legislation 
this year given the grave threat of these attacks against our government and key 
sectors of our economy. An Executive Order from the White House simply cannot 
provide the statutory authorities and protections needed to address the serious dan- 
ger posed by cyber attacks. 

The Commerce Committee will have the opportunity soon to set the tone for the 
cybersecurity debate by moving the ball forward in a business friendly, bipartisan 
way by passing the Cybersecurity Act of 2013. 

Although only a narrow approach, this legislation is a good step in the right direc- 
tion. It strikes the appropriate balance and preserves the private sector’s leadership 
in the development of innovative technologies to respond to cybersecurity threats. 

Bipartisan support for this legislation provides a path forward and sets an exam- 
ple for the other relevant committees. I am confident, for instance, that the Chair 
and Vice Chair of the Intelligence Committee will soon finish work on legislation 
to break down legal barriers and incentivize information sharing, an essential com- 
ponent of improved cybersecurity. There is broad, bipartisan consensus on the Com- 
mittee to do just that, and I trust the leadership and flexibility demonstrated by 
Senator Rockefeller will be repeated by Senator Feinstein. 

This legislation also provides the Senate Majority Leader guidance on how NOT 
to repeat the mistakes of last Congress. We really hit a low point last summer when 
the Senate Majority Leader rushed a cybersecurity bill to the floor under strained 
circumstances. 

One-fifth of the U.S. Senate — both Republicans and Democrats — met every day for 
nearly two weeks to iron out our differences on cybersecurity legislation. And with 
the active participation of 20 Senators representing both parties and key committees 
of jurisdiction, we came close. 

Several Republican and Democratic Senators had an understanding on how to 
best move forward on cybersecurity, and a shared commitment to work through last 
August toward a compromise legislation that could pass the support of both parties. 

( 53 ) 
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This agreement was important because throughout the consideration of this bill, 
the Majority Leader circumvented the legislative process and refused to allow any 
amendments. 

Unfortunately, rather than allowing the process to advance and amendments to 
be considered, the Majority Leader and the White House shut down debate, forced 
a vote they knew they would lose and blamed Republicans for the failure. This was 
completely disingenuous and poisoned the well last year for progress on this critical 
national security issue. 

The Senate should address cybersecurity this year, but not in the “take it or leave 
it” manner the Majority Leader has pursued in the past. 

Instead, it should be done in a manner that ensures our security, encourages the 
voluntary participation of the most innovative aspects of the private sector and the 
government, and does not harm our economy. 

This legislation starts us down that path. As a member of the Senate Commerce 
Committee and the Senate Intelligence Committee, I remain committed to working 
on legislation that strikes the right balance between strengthening security and re- 
specting the privacy rights of Americans. 

The responsibility falls on all of us. We know this threat is ongoing and real. We 
know we need to act. We must cast aside partisanship and put the security of our 
country above political expediency. 


Response to Written Questions Submitted by Hon. Mark Warner to 
Dr. Patrick D. Gallagher 

Question 1. On February 13, 2013, President Obama signed Executive Order 
13636, “Improving Critical Infrastructure Cybersecurity,” and the and the White 
House released a related Presidential Policy Directive (PPD-21), both of which work 
to strengthen the cybersecurity of critical infrastructure in the U.S. 

The Executive Order directed NIST to work with industry and develop the 
Cybersecurity Framework, and the Department of Homeland Security (DHS) to es- 
tablish performance goals. DHS, in collaboration with sector-specific agencies, is 
charged with supporting the adoption of the Cybersecurity Framework by owners 
and operators of critical infrastructure and other interested entities through a vol- 
untary program. 

Legislation recently introduced by Senators Rockefeller and Thune reinforce these 
executive directions, tasking the National Institute of Standards and Technology 
(NIST), in coordination with the industry, with developing a set of standards and 
best practices to reduce cyber risks to critical infrastructure. 

What does NIST see as the biggest challenge in developing standards for sectors 
in cybersecurity. Is each sector progressing to meet the targets outlined in the Presi- 
dent’s timeline, and if not which sectors are most at risk? 

Answer. NIST did not develop standards as part of its work under Executive 
Order 13636. Rather, NIST was directed in the Executive Order to work collabo- 
ratively with stakeholders to develop a voluntary framework — based on existing 
standards, guidelines, and practices — for reducing cybersecurity risks to critical in- 
frastructure. As part of the framework development process, NIST sought public 
input to develop a compendium of existing sector-independent and sector-specific 
standards, guidelines, practices, and other informative references to assist with 
cybersecurity implementations. 

The Executive Order specified that adoption of the Cybersecurity Framework is 
voluntary. As such, NIST is not working to assess sector progress. However, NIST 
is working collaboratively with the Department of Homeland Security to promote 
wide adoption. 

Section 9 of the Executive Order directed the Department of Homeland Security 
(DHS), in consultation with sector-specific agencies, to identify critical infrastruc- 
ture at greatest risk. DHS would be pleased to provide a briefing on the entities 
identified through implementation of Executive Order 13636. 

Question 2. The standards and best practices developed through this process, as 
outlined by the Executive Branch and Senators Rockefeller and Thune, must be vol- 
untary. Do you agree that the standards set by NIST should be voluntary? If not, 
please explain why. 

Answer. NIST agrees that use of the Cybersecurity Framework and any associ- 
ated Standards should be voluntary. 

Question 3. How will these voluntary standards be implemented? For covered in- 
dustries that already have a regulator, how does NIST assess the progress of their 
efforts to create standards for those sectors? 
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Answer. The Cybersecurity Framework will identify areas for improvement that 
should be addressed through future collaboration with particular sectors and stand- 
ards developing organizations. As part of this process, NIST will continue to work 
with industries and sectors in existing standards developing organizations to ad- 
dress any identified needed areas. 

Because implementation of the Framework is voluntary, the process by which 
standards may be adopted by participants will vary. The Framework is intended to 
be a resource, not a regulation. Sector-Specific Agencies coordinate with the Sector 
Coordinating Councils to review the Cybersecurity Framework and, if appropriate, 
develop implementation guidance or supplemental materials to address sector-spe- 
cific risks and operating environments. 

Question 4. How has NIST increased staffing and experience to be able to handle 
a large and complex project? Have government furloughs due to sequester delayed 
the timeline or made it more difficult to achieve the intended result? 

Answer. NIST has achieved the objectives and goals assigned in the Executive 
Order. NIST is continuing to work with the private sector to evolve future frame- 
work versions and ways to identify and address key areas for cybersecurity develop- 
ment, alignment and collaboration. 

Question 5. While the actions of the Executive Branch are a step in the right di- 
rection, there are still regulatory gaps that leave our Nation vulnerable to 
cyberattacks. Do you believe that the Cybersecurity Act of 2013 (S. 1353), recently 
introduced by Senators Rockefeller and Thune is effective in filling these gaps? If 
not, what are your recommendations for legislative action that should be taken to 
strengthen America’s cybersecurity? 

Answer. NIST is encouraged by the attention, interest, and concern within both 
the executive and legislative branches of government to address pressing 
cybersecurity challenges. 

Question 6. NIST’s initial steps towards implementing the Executive Order in- 
cluded issuing a Request for Information (RFI) this past February to gather relevant 
input from industry and other stakeholders, and asking stakeholders to participate 
in the Cybersecurity Framework process. Given the diversity of sectors in critical 
infrastructure, the initial efforts are designed to help identify existing cross-sector 
security standards and guidelines that are applicable to critical infrastructure. 

How will NIST ensure that we are working across sectors to promote information 
sharing? I know that you held a workshop, but will there be some type of clearing- 
house where information sharing can take place across sectors? 

Answer. NIST works with Federal agencies and private sector companies to de- 
velop underlying standards and best practices that are used to support a wide array 
of information sharing activities. These standards and best practices are a funda- 
mental component of providing interoperability between organizations, allowing for 
rapid and accurate sharing of information between government and industry, and 
industry to industry. The collaborative development approach ensures that the 
needs of all sectors are adequately addressed, leading to an information sharing eco- 
system that benefits all organizations. 

Question 7. The Department of Defense (DoD) has led a successful voluntary in- 
formation sharing program that allows participating entities to gain access to 
cybersecurity solutions. Has NIST engaged DoD and other agencies in the National 
Security space to gain lessons learned to implement during their establishment of 
voluntary standards? 

Answer. NIST works with the Department of Defense and other Federal agencies 
to share information, experiences, and lessons learned relating to the development 
of and use of voluntary standards. 

Question 8. As NIST is contemplating a new cybersecurity framework for all crit- 
ical infrastructure industries, the energy sector has significant questions about how 
this will be implemented. Cybersecurity in the power sector has been regulated by 
the North American Electric Reliability Corporation (NERC) for a long time. NERC 
administers Critical Infrastructure Protection (CIP) Reliability Standards. CIP re- 
quires implementation of specific cybersecurity protections, and subjects industry to 
penalties for noncompliance. Regulators are also trying out new ways of preserving 
cybersecurity. NERC and FERC — the Federal Energy Regulatory Commission — are 
supplementing their role as enforcement agencies and taking on more voluntary out- 
reach activities, including the sharing of cyber threat information. 

The Executive Order requires NIST to develop a “cybersecurity framework” for all 
critical infrastructure industries, but it seems unclear as to how NIST will interact 
with the NERC’s existing standards. How will you ensure that the new standards 
complement existing cyber protections for the electricity sector and do not add new 
regulations or rules that would contravene existing programs? 
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Answer. The Executive Order directed the National Institute of Standards and 
Technology (NIST), a non-regulatory agency, to lead the development of a frame- 
work to reduce cyber risks to critical infrastructure. NIST worked closely with 
stakeholders from all critical infrastructure sectors including the Energy Sector, 
NERC, the Federal Energy Regulatory Commission (FERC) and the Department of 
Energy (DoE). Regulatory agencies will use the Cybersecurity Framework to assess 
whether existing requirements are sufficient to protect against cyber attack. If exist- 
ing regulations are insufficient or ineffective, then agencies must propose new, cost- 
effective actions based upon the Cybersecurity Framework. Regulatory agencies will 
use their existing process to consult with their regulated companies to develop and 
propose any new regulations, allowing for a collaborative process. 


Response to Written Question Submitted by Hon. Mark Warner to 
Arthur W. Coviello, Jr. 

Question. On February 13, 2013, President Obama signed Executive Order 13636, 
“Improving Critical Infrastructure Cybersecurity,” and the and the White House re- 
leased a related Presidential Policy Directive (PPD-21), both of which work to 
strengthen the cybersecurity of critical infrastructure in the U.S. 

The Executive Order directed NIST to work with industry and develop the 
Cybersecurity Framework, and the Department of Homeland Security (DHS) to es- 
tablish performance goals. DHS, in collaboration with sector-specific agencies, is 
charged with supporting the adoption of the Cybersecurity Framework by owners 
and operators of critical infrastructure and other interested entities through a vol- 
untary program. 

Legislation recently introduced by Senators Rockefeller and Thune reinforce these 
executive directions, tasking the National Institute of Standards and Technology 
(NIST), in coordination with the industry, with developing a set of standards and 
best practices to reduce cyber risks to critical infrastructure. 

While the actions of the Executive Branch are a step in the right direction, there 
are still regulatory gaps that leave our Nation vulnerable to cyber attacks. Do you 
believe that the Cybersecurity Act of 2013 (S. 1353), recently introduced by Senators 
Rockefeller and Thune is effective in filling these gaps? If not, what are your rec- 
ommendations for legislative action that should be taken to strengthen America’s 
cybersecurity? 

Answer. This legislation complements the President’s Executive Order by codi- 
fying the important steps the Administration has already taken to protect critical 
infrastructure and gives government and industry additional tools to bolster our 
cyber defenses. We are pleased to see that S. 1353 requires a voluntary, non-regu- 
latory process, enabling further collaboration between the public and private sectors 
to leverage non-prescriptive and technology-neutral, global cybersecurity standards 
for critical infrastructure. We also commend the Committee for including crucial 
provisions to support cyber research and development; increase awareness of cyber 
risks; and improve cybersecurity education and workforce training. 

It is imperative that Congress addresses other key cybersecurity issues not under 
this Committee’s jurisdiction. These include advancing the sharing of cyber threat 
intelligence between government and industry; establishing liability protections for 
entities that share threat information; and streamlining acquisition of technology. 
We urge the Congress to examine ways to break down barriers to information shar- 
ing and create incentives for the public and private sectors to work together to safe- 
ly and securely share real-time, actionable information about cyber threats. Linking 
the adoption of cybersecurity standards to incentives such as liability protection and 
streamlined acquisition of technology will create a positive business climate while 
improving our Nation’s cybersecurity posture. We also support additional legislative 
initiatives to update criminal laws and penalties; enact Federal data breach law; 
modernize Federal Network Security continuous monitoring efforts; and develop rea- 
sonable and effective policy approaches to supply chain protection that will not stifle 
innovation and competition. 


Response to Written Question Submitted by Hon. Mark Warner to 
Mark G. Clancy 

Question. On February 13, 2013, President Obama signed Executive Order 13636, 
“Improving Critical Infrastructure Cybersecurity,” and the and the White House re- 
leased a related Presidential Policy Directive (PPD-21), both of which work to 
strengthen the cybersecurity of critical infrastructure in the U.S. 
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The Executive Order directed NIST to work with industry and develop the 
Cyhersecurity Framework, and the Department of Homeland Security (DHS) to es- 
tablish performance goals. DHS, in collaboration with sector-specific agencies, is 
charged with supporting the adoption of the Cyhersecurity Framework by owners 
and operators of critical infrastructure and other interested entities through a vol- 
untary program. 

Legislation recently introduced by Senators Rockefeller and Thune reinforce these 
executive directions, tasking the National Institute of Standards and Technology 
(NIST), in coordination with the industry, with developing a set of standards and 
best practices to reduce cyber risks to critical infrastructure. 

While the actions of the Executive Branch are a step in the right direction, there 
are still regulatory gaps that leave our Nation vulnerable to cyber attacks. Do you 
believe that the Cyhersecurity Act of 2013 (S. 1353), recently introduced by Senators 
Rockefeller and Thune is effective in filling these gaps? If not, what are your rec- 
ommendations for legislative action that should be taken to strengthen America’s 
cyhersecurity? 

Answer. S. 1353, the Cyhersecurity Act of 2013 provides some of the needed legis- 
lation for protecting our Nation’s critical infrastructure and complements the Feb- 
ruary 2013 executive pronouncements. 

To continue to protect our nation’s infrastructure, we must pass cyber threat in- 
formation sharing legislation. This legislation must provide liability protection for 
the sharing of threat information, allow for sharing among the private sector and 
from the government to the private sector, build upon existing relationships and 
protect personal privacy. While the financial sector has been engaged in information 
sharing for a long time there are still many institutions in our sector and other crit- 
ical infrastructure sectors who are constrained in their ability to share due to liabil- 
ity concerns. 

Given the interconnected nature of cyberspace, institutions recognize that the 
strongest preparations and responses to cyber attacks require collaboration beyond 
their own companies. As a result, the sector has engaged in a number of collabo- 
rative efforts, which would be enhanced with the passage of information sharing leg- 
islation. 

Through the Financial Services Information Sharing and Analysis Center (FS- 
ISAC), participants share threat information between financial institutions and the 
Federal government, law enforcement and other critical infrastructure sectors. The 
FS-ISAC also has a representative for the sector on the National Cyhersecurity and 
Communications Integration Center floor to provide the Department of Homeland 
Security (DHS) insight into the financial sectors issues and incidents and provide 
an additional fan out for information from DHS to the sector. 

The ability to share information more broadly is critical and foundational to our 
preparation for and response to future attacks. While we constantly review opportu- 
nities to improve the information shared within our industry, it is vital that our ef- 
forts also include sharing information across sectors and between the government 
and the private sector. Each company and public sector entity has a piece of the 
puzzle and an understanding of the threat. Our ability to share this information will 
greatly increase our ability to prepare and respond to threats. 


Response to Written Question Submitted by Hon. Mark Warner to 
Dorothy Coleman 

Question. On February 13, 2013, President Obama signed Executive Order 13636, 
“Improving Critical Infrastructure Cyhersecurity,” and the and the White House re- 
leased a related Presidential Policy Directive (PPD-21), both of which work to 
strengthen the cyhersecurity of critical infrastructure in the U.S. 

The Executive Order directed NIST to work with industry and develop the 
Cyhersecurity Framework, and the Department of Homeland Security (DHS) to es- 
tablish performance goals. DHS, in collaboration with sector-specific agencies, is 
charged with supporting the adoption of the Cyhersecurity Framework by owners 
and operators of critical infrastructure and other interested entities through a vol- 
untary program. 

Legislation recently introduced by Senators Rockefeller and Thune reinforce these 
executive directions, tasking the National Institute of Standards and Technology 
(NIST), in coordination with the industry, with developing a set of standards and 
best practices to reduce cyber risks to critical infrastructure. 

While the actions of the Executive Branch are a step in the right direction, there 
are still regulatory gaps that leave our Nation vulnerable to cyber attacks. Do you 
believe that the Cyhersecurity Act of 2013 (S. 1353), recently introduced by Senators 
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Rockefeller and Thune is effective in filling these gaps? If not, what are your rec- 
ommendations for legislative action that should be taken to strengthen America’s 
cybersecurity? 

Answer. The Cybersecurity Act of 2013 (S. 1353) represents a sensible, bipartisan, 
non-regulatory approach to an issue of utmost importance to the manufacturing in- 
dustry. Manufacturers support creating an industry-led, voluntary standards devel- 
opment process, strengthening the cybersecurity research and development strategy 
inside the Federal government, creating a high-skilled cybersecurity workforce and 
raising public awareness of cyber threats. 

The NAM is pleased that this legislation prohibits the creation of a duplicative 
regulatory regime that would put undue burdens on manufacturers while at the 
same time solidifies the public-private partnership to address an issue of critical 
importance to our nation. 

The top priority of manufacturers is allowing the voluntary sharing by the public 
and private sector of real-time threat information to allow manufacturers to better 
protect themselves from cyber threats. In contrast, under current law, the govern- 
ment is prohibited from sharing sensitive cyber-threat information with the private 
sector. Companies also are not permitted to share information freely with their 
peers. 

The NAM encourages the Senate to consider legislation similar to the Cyber Intel- 
ligence Sharing and Protection Act (CISPA) of 2013 (H.R. 624), which the House 
passed earlier this year and was supported by the NAM. This legislation, if signed 
into law, will allow the government to share timely and actionable threat and vul- 
nerability information with the private sector. 
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